[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Package signature weirdness with rpm 4.1.1 on YellowDog 2.3



On Thu, Mar 13, 2003 at 12:18:50PM +0100, Matthias Saou wrote:
> Well, got 4.1.1 to link against itself, and it seems mostly clean now. I
> rebuilt the rpm database, but am getting a strange bahavior when trying to
> sign packages and verify their signature.
> 
> It comes down to this:
> 
> [dude@powermac RPMS]$ rpm -K unrar-3.1.3-fr1.ppc.rpm
> only V3 signatures can be verified, skipping V4 signature
> unrar-3.1.3-fr1.ppc.rpm: md5 OK
> (that package was built ans signed with rpm 4.0.3)
> 
> [dude@powermac RPMS]$ rpm --resign unrar-3.1.3-fr1.*
> Enter pass phrase:
> Pass phrase is good.
> unrar-3.1.3-fr1.ppc.rpm:
> unrar-3.1.3-fr1.src.rpm:
> (from my experience, having no output here is a good sign)
> 
> [dude@powermac RPMS]$ rpm -K unrar-3.1.3-fr1.ppc.rpm
> only V3 signatures can be verified, skipping V4 signature
> only V3 signatures can be verified, skipping V4 signature
> unrar-3.1.3-fr1.ppc.rpm: sha1 md5 OK
> (now I get the message twice, and "sha1" is checked and previously wasn't)
> 

Yup. RFC-2440 has both v3 and v4 signatures, the difference is in how
the digest on the blob is generated.

Add --force-v3-sigs to the definition of the macro :

...
%__gpg_sign_cmd                 %{__gpg} \
    gpg --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning \
    -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
...

(I keep meaning to add this, will try to remember again today).

> 
> All packages I had recompiled, signed and installed with 4.0.3 give those
> V3 vs. V4 messages, even when doing "rpm -qa" for instance.
> 
> Am I doing something wrong? Seems strange to me that the rpm used to sign
> the packages isn't able to verify them. Was the signature verification code
> from rpm 3.x merged into the rpm 4.2 packport!? :-)
> 

More importantly, rpm-4.1 and later has both header-only and (legacy)
header+payload signature/digests. That means that if you sign with
rpm-4.1.1 using one key, and the sign with rpm-4.0.4 using another key,
that there will be 2 different signatures with 2 different keys in
the package. Avoid confusion by always signing with rpm-4.1 or later.

Another important change is that --addsign and --resign behave identically.
(--addsign did not delete existing signatures in the past, overly subtle
nuance that was error prone.)

The good news is that header signatures are (usually) verified whenever
a header is read. Sign a few packages with rpm-4.1 or later, install,
look at "rpm -q -vv pkg" output to convince yourself that --checksig
is (almost) superflous.

73 de Jeff

-- 
Jeff Johnson	ARS N3NPQ
jbj@redhat.com (jbj@jbj.org)
Chapel Hill, NC





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []