SCIENTIFIC-LINUX-DEVEL Archives

October 2012

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Signing EL5 packages on EL6.
From:
Steven Haigh <[log in to unmask]>
Reply To:
Steven Haigh <[log in to unmask]>
Date:
Tue, 16 Oct 2012 23:49:45 +1100
Content-Type:
multipart/signed
Parts/Attachments:
text/plain (3036 bytes) , smime.p7s (4 kB) 
Hi all (again),

I'm still continuing my struggle to port my packages to EL5.

I've been using mock to build packages and they are now all build 
successfully. I have a kernel-xen-release package which contains:
	/etc/pki/rpm-gpg
	/etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen
	/etc/yum.repos.d
	/etc/yum.repos.d/kernel-xen.repo

This should be installed on EL5.

When I try to verify the sig or install the package on EL5, I get the 
following:

# rpm -ivh kernel-xen-release-5-4.noarch.rpm
error: kernel-xen-release-5-4.noarch.rpm: Header V3 RSA/SHA1 signature: 
BAD, key ID 5838f88d
error: kernel-xen-release-5-4.noarch.rpm cannot be installed
# rpm -Kv kernel-xen-release-5-4.noarch.rpm
kernel-xen-release-5-4.noarch.rpm:
     Header V3 RSA/SHA1 signature: BAD, key ID 5838f88d
     Header SHA1 digest: OK (b6f32affa916ae235b6abab49f3a3debd286cd8f)
     V3 RSA/SHA1 signature: BAD, key ID 5838f88d
     MD5 digest: OK (9e4df29f8ccaa1a98f7ac525cae2ff86)

When trying to install it via yum, I get:
# yum -y localinstall --nogpgcheck kernel-xen-release-5-4.noarch.rpm
....
Transaction Test Succeeded
Running Transaction
error: kernel-xen-release-5-4: Header V3 RSA/SHA1 signature: BAD, key ID 
5838f88d

Installed:
   kernel-xen-release.noarch 0:5-4

However, none of the files in the package seem to be put on the 
filesystem...

When I create the RPMs, I've been building them within mock using 
epel-5-x86_64 as the target using the following:

mock -r epel-5-x86_64 --resultdir ~/build-5-x86_64/ \
                       --no-clean --no-cleanup-after --rebuild \
                       "$@"

I then sign it with:
rpm --addsign --define "_source_filedigest_algorithm 1" \
               --define "_binary_filedigest_algorithm 1" \
               --define "_binary_payload w9.gzdio" \
               --define "_source_payload w9.gzdio" \
               --define "_default_patch_fuzz 2" \
               --define "%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs 
--digest-algo=sha1 --batch --no-verbose --no-armor --passphrase-fd 3 
--no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename} 
%{__plaintext_filename}" \
               ~/repo/el5/x86_64/*.rpm ~/repo/el5/SRPMS/*.rpm

I then create the repo files using:
createrepo -s sha --outputdir=~/repo/el5/x86_64/ ~/repo/el5/x86_64/

This then gets synced to the master repo.

Now, what I think seems to be the crux of the issue is that if I try to 
import the key into rpm (rpm --import 
/etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen), I get no output, nor can I see 
it in a list of keys installed (via rpm -qa rpm-gpg*) - although the 
import doesn't show any errors or non-zero exit code.

With all this, I'm a little stumped about how EL5 handles package 
signing differently than EL6. It must be something that I haven't 
managed to stumble across.

Does anyone have a working example of signing EL5 packages in EL6 that 
may be able to help me get to the root cause of these issues?

Thanks in advance.

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299

ATOM RSS1 RSS2