Friday, 2 December 2011

CentOS 6 rpm sign issue (V4 signature is used by default)

Well, the problem I'm going to write about is known and the appropriate bug-reports exists. But I didn't found the proper threads on at the first pages of search results while googling by the error messages. So, I hope, this post will help somebody to find out what is happening when "rpm --checksig" returns "Header V3 DSA signature: OK, key ID xxxxxxxx" when "signature: OK" is expected.

I faced the problem when was deploying a Spacewalk server. I choose CentOS 6.0 to be the OS on that server and I was simply following install instructions (many thanks to the Spacewalk community, it was really easy to install the server) until I tried to create a custom Software Channel for some individual packages.

In fact, instructions about how to sign RPMs is the same on most of the howto pages... let's remind them (simple version):

gpg --gen-key

gpg --export -a XXXXXXX > RPM-GPG-KEY-Mycompany

put to ~/.rpmmacros:
%_signature gpg
%_gpg_name XXXXXXXX

and then just use:

rpm --resign some-package.rpm

On the client system it's enough to get the public key and import it by rpm command:

rpm --import /path/to/RPM-GPG-KEY-Mycompany

This was a very simplified recipe without expected outputs, but if everything is going  well there shouldn't be any unexpected questions.

After all is done, rpm --checksign some-package.rpm should return something like that:
some-package.rpm: rsa sha1 (md5) pgp md5 OK

And it was like that on the CentOS 6 server... But when I tried to install the package via yum on CentOS 5.7, I've received the following error:

error: rpmts_HdrFromFdno: Header V4 RSA/SHA1 signature: BAD, key ID XXXXXXXX

And rpm -v --checksig some-package.rpm was returning:

    Header V4 RSA/SHA1 signature: BAD, key ID xxxxxxxx
    Header SHA1 digest: OK (835b77fb70d2a6075c428b9eb57bbfcdc2a0d1ce)
    V4 RSA/SHA1 signature: BAD, key ID xxxxxxxx
    MD5 digest: OK (ede2464b724b0bafef0db4a53c02c1d0)
More weird thing, is that when I sign it with the same key on CentOS 5.7 the rpm was OK.
It was my first time signing the RPMs, so I have spent some time while found out the difference from the package with proper signature:

$ rpm -v --checksig rpmforge-release-0.5.1-1.el5.rf.i386.rpm
    Header V3 DSA signature: OK, key ID 6b8d79e6
    Header SHA1 digest: OK (56871fe945ed2b2c868430b0002bb47dc129e981)
    MD5 digest: OK (69c4cbf8229ba4b319d58f99ddebddf3)
    V3 DSA signature: OK, key ID 6b8d79e6

So, with that insight I found an old bug with a description how to force GPG signature version to v3. To do that your ~/.rpmmacros should look like this:

%_signature gpg
%_gpg_name  XXXXXXXX
%__gpg_sign_cmd %{__gpg} \
    gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
    --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
    -sbo %{__signature_filename} %{__plaintext_filename}

Seems like the "rpm --resign" command  uses GPG signature V4 by default, despite to the following text in rpm manual page:

For compatibility with older versions of GPG, PGP, and rpm, only V3 OpenPGP signature packets should be configured.  Either DSA or RSA  verification algorithms can be used, but DSA is preferred.

Hope this helps...