Subject: | |
From: | |
Reply To: | |
Date: | Tue, 16 Oct 2012 23:49:45 +1100 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
Hi all (again),
I'm still continuing my struggle to port my packages to EL5.
I've been using mock to build packages and they are now all build
successfully. I have a kernel-xen-release package which contains:
/etc/pki/rpm-gpg
/etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen
/etc/yum.repos.d
/etc/yum.repos.d/kernel-xen.repo
This should be installed on EL5.
When I try to verify the sig or install the package on EL5, I get the
following:
# rpm -ivh kernel-xen-release-5-4.noarch.rpm
error: kernel-xen-release-5-4.noarch.rpm: Header V3 RSA/SHA1 signature:
BAD, key ID 5838f88d
error: kernel-xen-release-5-4.noarch.rpm cannot be installed
# rpm -Kv kernel-xen-release-5-4.noarch.rpm
kernel-xen-release-5-4.noarch.rpm:
Header V3 RSA/SHA1 signature: BAD, key ID 5838f88d
Header SHA1 digest: OK (b6f32affa916ae235b6abab49f3a3debd286cd8f)
V3 RSA/SHA1 signature: BAD, key ID 5838f88d
MD5 digest: OK (9e4df29f8ccaa1a98f7ac525cae2ff86)
When trying to install it via yum, I get:
# yum -y localinstall --nogpgcheck kernel-xen-release-5-4.noarch.rpm
....
Transaction Test Succeeded
Running Transaction
error: kernel-xen-release-5-4: Header V3 RSA/SHA1 signature: BAD, key ID
5838f88d
Installed:
kernel-xen-release.noarch 0:5-4
However, none of the files in the package seem to be put on the
filesystem...
When I create the RPMs, I've been building them within mock using
epel-5-x86_64 as the target using the following:
mock -r epel-5-x86_64 --resultdir ~/build-5-x86_64/ \
--no-clean --no-cleanup-after --rebuild \
"$@"
I then sign it with:
rpm --addsign --define "_source_filedigest_algorithm 1" \
--define "_binary_filedigest_algorithm 1" \
--define "_binary_payload w9.gzdio" \
--define "_source_payload w9.gzdio" \
--define "_default_patch_fuzz 2" \
--define "%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs
--digest-algo=sha1 --batch --no-verbose --no-armor --passphrase-fd 3
--no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename}
%{__plaintext_filename}" \
~/repo/el5/x86_64/*.rpm ~/repo/el5/SRPMS/*.rpm
I then create the repo files using:
createrepo -s sha --outputdir=~/repo/el5/x86_64/ ~/repo/el5/x86_64/
This then gets synced to the master repo.
Now, what I think seems to be the crux of the issue is that if I try to
import the key into rpm (rpm --import
/etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen), I get no output, nor can I see
it in a list of keys installed (via rpm -qa rpm-gpg*) - although the
import doesn't show any errors or non-zero exit code.
With all this, I'm a little stumped about how EL5 handles package
signing differently than EL6. It must be something that I haven't
managed to stumble across.
Does anyone have a working example of signing EL5 packages in EL6 that
may be able to help me get to the root cause of these issues?
Thanks in advance.
--
Steven Haigh
Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
|
|
|