LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

Hi all (again),

I'm still continuing my struggle to port my packages to EL5.

I've been using mock to build packages and they are now all build 
successfully. I have a kernel-xen-release package which contains:
	/etc/pki/rpm-gpg
	/etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen
	/etc/yum.repos.d
	/etc/yum.repos.d/kernel-xen.repo

This should be installed on EL5.

When I try to verify the sig or install the package on EL5, I get the 
following:

# rpm -ivh kernel-xen-release-5-4.noarch.rpm
error: kernel-xen-release-5-4.noarch.rpm: Header V3 RSA/SHA1 signature: 
BAD, key ID 5838f88d
error: kernel-xen-release-5-4.noarch.rpm cannot be installed
# rpm -Kv kernel-xen-release-5-4.noarch.rpm
kernel-xen-release-5-4.noarch.rpm:
     Header V3 RSA/SHA1 signature: BAD, key ID 5838f88d
     Header SHA1 digest: OK (b6f32affa916ae235b6abab49f3a3debd286cd8f)
     V3 RSA/SHA1 signature: BAD, key ID 5838f88d
     MD5 digest: OK (9e4df29f8ccaa1a98f7ac525cae2ff86)

When trying to install it via yum, I get:
# yum -y localinstall --nogpgcheck kernel-xen-release-5-4.noarch.rpm
....
Transaction Test Succeeded
Running Transaction
error: kernel-xen-release-5-4: Header V3 RSA/SHA1 signature: BAD, key ID 
5838f88d

Installed:
   kernel-xen-release.noarch 0:5-4

However, none of the files in the package seem to be put on the 
filesystem...

When I create the RPMs, I've been building them within mock using 
epel-5-x86_64 as the target using the following:

mock -r epel-5-x86_64 --resultdir ~/build-5-x86_64/ \
                       --no-clean --no-cleanup-after --rebuild \
                       "$@"

I then sign it with:
rpm --addsign --define "_source_filedigest_algorithm 1" \
               --define "_binary_filedigest_algorithm 1" \
               --define "_binary_payload w9.gzdio" \
               --define "_source_payload w9.gzdio" \
               --define "_default_patch_fuzz 2" \
               --define "%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs 
--digest-algo=sha1 --batch --no-verbose --no-armor --passphrase-fd 3 
--no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename} 
%{__plaintext_filename}" \
               ~/repo/el5/x86_64/*.rpm ~/repo/el5/SRPMS/*.rpm

I then create the repo files using:
createrepo -s sha --outputdir=~/repo/el5/x86_64/ ~/repo/el5/x86_64/

This then gets synced to the master repo.

Now, what I think seems to be the crux of the issue is that if I try to 
import the key into rpm (rpm --import 
/etc/pki/rpm-gpg/RPM-GPG-KEY-kernel-xen), I get no output, nor can I see 
it in a list of keys installed (via rpm -qa rpm-gpg*) - although the 
import doesn't show any errors or non-zero exit code.

With all this, I'm a little stumped about how EL5 handles package 
signing differently than EL6. It must be something that I haven't 
managed to stumble across.

Does anyone have a working example of signing EL5 packages in EL6 that 
may be able to help me get to the root cause of these issues?

Thanks in advance.

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299