Signing RPMs cause unverifiable V4 signatures (and extreme frustration)?

Sometimes it seems it seems like I run into every possible problem imaginable when trying to do something very simple. This time, while finishing up our automated build and release system for Metric Insights, I decided that our RPMs needed to be signed with a GPG key cause, you know, we’re professional and shit.

The process is super simple, as spelled out on multiple blog posts and RPM documentation over the web. Setup your RPM’s _gpg_name macro, and sign with a simple:

$ rpm --define '_gpg_name mykey' --addsign test.rpm
Enter pass phrase: 
Pass phrase is good.
test.rpm:

For some reason, though, my otherwise perfectly valid GPG key would corrupt the RPM:

$ rpm -qpi test.rpm
error: skipping package with unverifiable V4 signature
error: test.rpm: not an rpm package (or package manifest)

There are various solutions to fix this on the internet, including outdated forum posts telling people that V4 signing was broken and you needed to force V3 signing. This turned out to be a  red herring. Don’t bother redefining the __gpg_sign_cmd rpm macro to use –force-v3-sigs. This just gives an even more annoying “unverifiable V3 signature”!

After much trial and error, however, I figured out that it was a problem with RPM not liking my particular GPG key. To pinpoint the problem, I created 4 different GPG keys, 1024 and 2048 byte RSA and DSA keys, and tested out signing RPM packages with them:

cru@bob:~ $ gpg --list-keys foo
pub 1024R/272D2ECA 2013-02-06
uid fooRSA1024 <foorsa1024@example.com>
sub 1024R/1D2D8E3C 2013-02-06

pub 2048R/413B4061 2013-02-06
uid fooRSA2048 <foorsa2048@example.com>
sub 2048R/A06F285A 2013-02-06

pub 1024D/85FBADC7 2013-02-06
uid fooDSA1024 <foodsa1024@example.com>
sub 1024g/FD971D0A 2013-02-06

pub 2048D/36DFE4E6 2013-02-06
uid fooDSA2048 <foodsa2048@example.com>
sub 2048g/A6971EDB 2013-02-06

cru@bob:~ $ for x in foo{rsa,dsa}{1024,2048}; do cp -f test.rpm test-$x.rpm; rpm --define "_gpg_name $x@example.com" --addsig
n test-$x.rpm; done
Enter pass phrase: 
Pass phrase is good.
test-foorsa1024.rpm:
Enter pass phrase: 
Pass phrase is good.
test-foorsa2048.rpm:
Enter pass phrase: 
Pass phrase is good.
test-foodsa1024.rpm:
Enter pass phrase: 
Pass phrase is good.
test-foodsa2048.rpm:

This created four separate signed rpms. All of them worked EXCEPT for the 2048 byte DSA key!

cru@bob:~$ for x in foo{rsa,dsa}{1024,2048}; do rpm -qip test-$x.rpm | grep Signature; done 
warning: test-foorsa1024.rpm: Header V4 RSA/SHA1 Signature, key ID 272d2eca: NOKEY
Signature : RSA/SHA1, Wed 06 Feb 2013 06:45:44 AM UTC, Key ID a5a029b1272d2eca
warning: test-foorsa2048.rpm: Header V4 RSA/SHA1 Signature, key ID 413b4061: NOKEY
Signature : RSA/SHA1, Wed 06 Feb 2013 06:45:44 AM UTC, Key ID 4f775b1a413b4061
warning: test-foodsa1024.rpm: Header V4 DSA/SHA1 Signature, key ID 85fbadc7: NOKEY
Signature : DSA/SHA1, Wed 06 Feb 2013 06:45:45 AM UTC, Key ID 4cb7b2bd85fbadc7
error: skipping package with unverifiable V4 signature
error: test-foodsa2048.rpm: not an rpm package (or package manifest)

So, to fix, I simply regenerated a 2048 RSA key.  Hopefully this will save others some headaches in the future 🙂  NOTE: this appears to be a problem on RPM 4.8 (which ships for Debian Squeeze/CentOS 6.3 and RHEL 6).

Advertisements