Re: Signing packages on RH73 and RH9 results in other output

[Jeff Johnson <n3npq nc rr com>]

Dag Wieers wrote:

> Hi,
>
> I guess this is yet another issue that nobody really cares about, but what 
> the heck, just for the record.
>  

Hmmm, I care.

> If you sign a set of packages (RH62, RH73, RH80 and RH9) on a RH73 and you 
> do the same on a identical copy on RH9 (of course with the same key). Your 
> packages will not be the same anymore.
>  

"same" details please. And version of rpm used for signing.

> They still seem to work though (at least the RH73 signed ones work on RH9) 
> but there's no way that you can do this and hope that you can just rsync 
> without it redoing all the files.
>  

All signatures are different. Since in package, yes, rsync will notice.

> If you then think to be clever (ha!) to build a rpm-4.2-1 for RH73 and 
> --resign them, don't bother as there is no way you can (re)sign them with 
> the same key, let alone remove an existing signature.
>  

Not true, but depends on key and version of rpm used to sign.

> This also bit me tonight and well, caused me a lot of grief. It's not been 
> my lucky RPM week, that's for sure.
>  

FInd me on irc and I'll walk you through what you need to do.

The underlying issue(s) are:
   a) transitioning between header+payload and header-only signatures.
   b) using beecrypt, not gpg, for signature verification.
   c) changes wrto --addsign/--resign, they behave identically now, 
didn't always.
   d) always verifying signature/digest if possible.

Yes there are different behaviors, because there are largish changes.
 
73 de Jeff