[Rpm-maint] [rpm-software-management/rpm] New RPM doesn't like Amazon Linux 2023 signing key (Issue #2680)

Benjamin Herrenschmidt notifications at github.com
Thu Sep 28 05:57:16 UTC 2023


The amazon linux 2023 signing key upsets newer RPMs (such as in Fedora 38). The key can be found here:

https://raw.githubusercontent.com/xsuchy/distribution-gpg-keys/main/keys/amazon-linux/RPM-GPG-KEY-amazon-linux-2023

sq seems to like it enough:

```
sq inspect RPM-GPG-KEY-amazon-linux-2023
RPM-GPG-KEY-amazon-linux-2023: OpenPGP Certificate.

    Fingerprint: B21C50FA44A99720EAA72F7FE951904AD832C631
Public-key algo: RSA (Encrypt or Sign)
Public-key size: 4096 bits
  Creation time: 2022-12-08 16:14:49 UTC

         UserID: Amazon Linux <amazon-linux at amazon.com>
```

But trying to import it results in:

```
$ sudo rpm --import RPM-GPG-KEY-amazon-linux-2023 
warning: Certificate E951904AD832C631:
  Certificate does not have any usable signing keys
```

and `rpm` also refuses to open any Amazon Linux 2023 packages (which effectively breaks using `mkosi` (which I'm trying to add AL2023 support to) from a recent Fedora or even Ubuntu):

```
$ rpm -qpi bash-5.2.15-1.amzn2023.0.2.x86_64.rpm 
error: Verifying a signature using certificate B21C50FA44A99720EAA72F7FE951904AD832C631 (Amazon Linux <amazon-linux at amazon.com>):
  Key E951904AD832C631 invalid: not signing capable
error: bash-5.2.15-1.amzn2023.0.2.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d832c631: BAD
error: bash-5.2.15-1.amzn2023.0.2.x86_64.rpm: not an rpm package (or package manifest)
```
This RPM can be obtained here:

https://cdn.amazonlinux.com/al2023/core/guids/9cf1057036ef7d615de550a658447fad88617805da0cfc9b854ba0fb8a668466/x86_64/../../../../blobstore/7788b494301e4b43761962716e25f799cf4411e74e472772714a58e7dc08f1b4/bash-5.2.15-1.amzn2023.0.2.x86_64.rpm

The RPMs are signed using a custom internal solution, so we might have an issue with our signatures format but I am concerned that the key itself already seems to upset rpm.

I'm not a PGP expert, so any advice here would be welcome. Unfortunately I don't see any way for us to replace the key and re-sign all our packages :-(

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2680
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2680 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230927/f2b8a149/attachment.html>


More information about the Rpm-maint mailing list