Signing rpms with gpg

arizonagroovejet · 06-03-2009, 09:55 AM

I'm having terrible trouble getting signing rpms with gpg to work. I've got a gpg key:

Code:

$ gpg --list-keys
/home/bob/.gnupg/pubring.gpg
----------------------------
pub   2048R/D2787DFA 2009-06-03
uid                  Bob the (rpm) Builder

I've got an ~/.rpmmacros file

Code:

$ cat ~/.rpmmacros
%_topdir      /home/bob/rpmbuild
%_tmppath     /home/bob/rpmbuild/tmp
%_signature gpg
%_gpg_name Bob the (rpm) Builder

I've told rpm about the key:

Code:

$ rpm  -q gpg-pubkey | grep -i D2787DFA
gpg-pubkey-d2787dfa-4a26706f

If I build an rpm all appears well:

Code:

$ rpm -ba --sign whatever.spec
Enter pass phrase:
Pass phrase is good.
Executing(%prep): /bin/sh -e /home/bob/rpmbuild/tmp/rpm-tmp.63714
[ USUAL RPM BUILD BLAH ]
Checking for unpackaged file(s): /usr/lib/rpm/check-files /home/bob/rpmbuild/tmp/whatever-1.0-build
Generating signature: 1005
gpg: WARNING: standard input reopened
gpg: WARNING: standard input reopened
Wrote: /home/bob/rpmbuild/SRPMS/d
Wrote: /home/bob/rpmbuild/RPMS/noarch/whatever-1.0-0.src.rpm
Generating signature: 1005
gpg: WARNING: standard input reopened
gpg: WARNING: standard input reopened
Wrote: /home/bob/rpmbuild/RPMS/noarch/whatever-1.0-0.noarch.rpm
Executing(%clean): /bin/sh -e /home/bob/rpmbuild/tmp/rpm-tmp.80814
+ umask 022
+ cd /home/bob/rpmbuild/BUILD
+ cd whatever
+ rm -rf /home/bob/rpmbuild/tmp/whatever-1.0-build
+ rm -rf /home/bob/rpmbuild/tmp/whatever
+ rm -rf /home/bob/rpmbuild/BUILD/whatever
+ exit 0

Except that gpg WARNING, but far as I can tell that's nothing to worry about.

Now I check the signature:

Code:

rpm --checksig -vvv /home/bob/rpmbuild/RPMS/noarch/whatever-1.0-0.noarch.rpm
D: Expected size:         3971 = lead(96)+sigs(784)+pad(0)+data(3091)
D:   Actual size:         3971
/home/bob/rpmbuild/RPMS/noarch/whatever-1.0-0.noarch.rpm:
    Header V4 RSA/SHA1 signature: BAD, key ID d2787dfa
    Header SHA1 digest: OK (9c4ddeb8cabd0448f983719bb47577e21fae5664)
    V4 RSA/SHA1 signature: BAD, key ID d2787dfa
    MD5 digest: OK (314e87fac2db2887b7dbe0811eb074ed)
D: May free Score board((nil))

and I'm told it's BAD. Zypper also refuses to install the resulting rpm.

Code:

Installation of whatever-1.0-0 failed:
(with --nodeps --force) Error: Subprocess failed. Error: RPM failed: error: /var/cache/zypp/packages/my_repo/noarch/whatever-1.0-0.noarch.rpm: Header V4 RSA/SHA1 signature: BAD, key ID d2787dfa

I've read a bunch of guides and totally failed to workout what I'm doing wrong.

unSpawn · 06-03-2009, 10:37 AM

Check RH bugzilla #436812 from post #9 on?

arizonagroovejet · 06-04-2009, 07:56 AM

Quote:

Originally Posted by unSpawn

Check RH bugzilla #436812 from post #9 on?

I'm not much the wiser for having done so beyond getting the impression that something about rpm and signatures is broken.

unSpawn · 06-04-2009, 09:47 AM

V3 ones work. Only V4 signatures appear b0rken.

arizonagroovejet · 07-20-2009, 08:25 AM

I just realised I never posted how I sorted this out.

I made a gpg wrapper script /home/bob/bin/gpg

Code:

#! /bin/bash
exec /usr/bin/gpg --force-v3-sigs  "$@"

and then put this in ~/.rpmmacros:

Code:

%__gpg /home/bob/bin/gpg

unSpawn · 07-20-2009, 09:20 AM

Thanks for confirming wrt V3 vs V4 & posting back your GnuPG workaround.