Problems with signatures on CentOS5
Panu Matilainen
pmatilai at laiskiainen.org
Wed Mar 12 06:20:46 UTC 2014
On 03/12/2014 12:54 AM, Martín Marqués wrote:
> 2014-03-11 17:18 GMT-03:00 Panu Matilainen <pmatilai at laiskiainen.org>:
>> On 03/11/2014 09:18 PM, Martín Marqués wrote:
>>>
>>> I'm recompiling some packages for CentOS (actually CentOS or RHEL) 5
>>> and 6, and it's the first time I sign them with gpg. Everything worked
>>> fine until I have to install them via yum (worked on EL6 but not on
>>> EL5). I've already fixed %__gpg_sign_cmd to use --force-v3-sigs, but I
>>> get the same error.
>>>
>>> The packages are signed with the company's gpg key using:
>>>
>>> $ rpm --resign *.rpm
>>>
>>> My .rpmmacros looks like this:
>>>
>>> %_signature gpg
>>> %_gpg_name My Key To Sign
>>> %__gpg_sign_cmd %{__gpg} \
>>> gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose
>>> --no-armor \
>>> --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
>>> -sbo %{__signature_filename} %{__plaintext_filename}
>>>
>>> I did the same procedure for EL5 and EL6 repositories. But only on
>>> CentOS 6 rpms get installed with yum, while on CentOS 5 the signature
>>> fails, but it's not clear to me in which way.
>>>
>>> From yum I get errors like this (key is hidden):
>>>
>>> error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 signature: BAD, key ID
>>> xxxxxxx
>>>
>>> Checking on the packages downloaded I get similar errors:
>>>
>>> $ rpm --checksig MyRPMPackage-0.0.1-1.el5.x86_64.rpm
>>> MyRPMPackage-0.0.1-1.el5.x86_64.rpm: RSA sha1 MD5 PGP md5 NOT OK
>>>
>>> What am I doing wrong here?
>>
>>
>> Probably nothing, technically speaking. Its just that support for RSA
>> signatures is hopelessly buggy in rpm 4.4.x. Key larger than 1024bit is one
>> possible cause of the problem.
>>
>> Me, I wouldn't bother fighting it. DSA signatures are far more hasslefree on
>> that version.
>
> Switched to DSA (I created a subkey of the original) and now I get:
>
> error: Unsupported PGP signature
>
> What does that mean? Did I miss something when creating the subkey?
It means gpg signed successfully but rpm doesn't understand the result,
which can happen as gpg supports all sorts of things rpm does not.
My guess is the key is > 1024 which wont work with DSA either. On
RHEL/Centos 5 gpg doesn't even support larger DSA keys, whereas on
RHEL-6 2048 is the default.
- Panu -
More information about the Rpm-list
mailing list