Re-signing RPM v3 packages
Hi.
We're running RHN Satellite server to host RPMs for our RHEL servers,
and have created our own GPG key to sign any thirds party RPMs that we
want to upload to the Satellite server.
As most vendors seem to ship their RPMs signed with RPM v3 signatures,
we can't resign them with our own RPM v4 GPG key signature without
corrupting the RPM.
To overcome this we could install RPM v3 from source and use that to
sign our third party RPMs. As this software have dependencies to other
really old software (as Berkeley DB 1.85), it doesn't seem like the
best option. Is there any other way to re-sign RPM v3 packages,
without having to install RPM v3 (with all its dependencies), or
without actually having to install an old RPM-based distro that ships
with RPM v3?
Greetings,
kenneho
PS: I posted this on a Red Hat mailing list first, but posted it here since I didn't get any replies.
|