Hi all (again), I'm still continuing my struggle to port my packages to EL5. I've been using mock to build packages and they are now all build successfully. I have a kernel-xen-release package which contains: /etc/pki/rpm-gpg /etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen /etc/yum.repos.d /etc/yum.repos.d/kernel-xen.repo This should be installed on EL5. When I try to verify the sig or install the package on EL5, I get the following: # rpm -ivh kernel-xen-release-5-4.noarch.rpm error: kernel-xen-release-5-4.noarch.rpm: Header V3 RSA/SHA1 signature: BAD, key ID 5838f88d error: kernel-xen-release-5-4.noarch.rpm cannot be installed # rpm -Kv kernel-xen-release-5-4.noarch.rpm kernel-xen-release-5-4.noarch.rpm: Header V3 RSA/SHA1 signature: BAD, key ID 5838f88d Header SHA1 digest: OK (b6f32affa916ae235b6abab49f3a3debd286cd8f) V3 RSA/SHA1 signature: BAD, key ID 5838f88d MD5 digest: OK (9e4df29f8ccaa1a98f7ac525cae2ff86) When trying to install it via yum, I get: # yum -y localinstall --nogpgcheck kernel-xen-release-5-4.noarch.rpm .... Transaction Test Succeeded Running Transaction error: kernel-xen-release-5-4: Header V3 RSA/SHA1 signature: BAD, key ID 5838f88d Installed: kernel-xen-release.noarch 0:5-4 However, none of the files in the package seem to be put on the filesystem... When I create the RPMs, I've been building them within mock using epel-5-x86_64 as the target using the following: mock -r epel-5-x86_64 --resultdir ~/build-5-x86_64/ \ --no-clean --no-cleanup-after --rebuild \ "$@" I then sign it with: rpm --addsign --define "_source_filedigest_algorithm 1" \ --define "_binary_filedigest_algorithm 1" \ --define "_binary_payload w9.gzdio" \ --define "_source_payload w9.gzdio" \ --define "_default_patch_fuzz 2" \ --define "%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename} %{__plaintext_filename}" \ ~/repo/el5/x86_64/*.rpm ~/repo/el5/SRPMS/*.rpm I then create the repo files using: createrepo -s sha --outputdir=~/repo/el5/x86_64/ ~/repo/el5/x86_64/ This then gets synced to the master repo. Now, what I think seems to be the crux of the issue is that if I try to import the key into rpm (rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen), I get no output, nor can I see it in a list of keys installed (via rpm -qa rpm-gpg*) - although the import doesn't show any errors or non-zero exit code. With all this, I'm a little stumped about how EL5 handles package signing differently than EL6. It must be something that I haven't managed to stumble across. Does anyone have a working example of signing EL5 packages in EL6 that may be able to help me get to the root cause of these issues? Thanks in advance. -- Steven Haigh Email: [log in to unmask] Web: http://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299