[Gluster-users] Gluster EPEL _5_ packages not signed {Possibly Forged}

Grant Byers gbyers at indue.com.au
Mon Mar 10 01:04:15 UTC 2014


Sorry, that should have read ;

%__gpg_sign_cmd %{__gpg} --force-v3-sigs \
  gpg --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning \
  -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}


Regards,
Grant



-----Original Message-----
From: gluster-users-bounces at gluster.org [mailto:gluster-users-bounces at gluster.org] On Behalf Of Grant Byers
Sent: Monday, 10 March 2014 11:00 AM
To: 'Kaleb Keithley'
Cc: gluster-users at gluster.org
Subject: Re: [Gluster-users] Gluster EPEL _5_ packages not signed {Possibly Forged}

Kaleb,

See comment #12 in the following bugzilla ;

	https://bugzilla.redhat.com/show_bug.cgi?id=436812

Apparently EL5 doesn't like V4 keys. Appears the trick is to put something like the following in your ~/.rpmmacros on your EL5 build box ;


%__gpg_sign_cmd %{__gpg} \
  gpg --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning \
  -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}


I tested this by signing an EL5 RPM I created on an EL6 box with a V4 key and it worked.

A Sharpie works well too, but people are going to question why one of your forearms is much larger than the other.

Regards,
Grant


-----Original Message-----
From: Kaleb Keithley [mailto:kkeithle at redhat.com] 
Sent: Sunday, 9 March 2014 5:02 AM
To: Grant Byers
Cc: gluster-users at gluster.org
Subject: Re: [Gluster-users] Gluster EPEL _5_ packages not signed


> 
> Are you sure yum is barfing on the signature? 

  ...
  error: rpmts_HdrFromFdno: Header V4 RSA/SHA1 signature: BAD, key ID 4ab22bb3
  ...

Dunno. You tell me. (But it sure looks like it's the signature to me.)

> Yum on EL5 will barf if your
> repo uses anything stronger than sha1 (sha) for checksums. The default is
> sha256 when using createrepo to build the metadata.

I've always used MD5 hashes to create the epel-5 repos, so...

> 
> FWIW, I sign all of our internal EL5 packages and have no problem at all. If
> it's not the repo itself, perhaps it is key strength. I'd be happy to test
> an RPM on EL5 if you're willing to sign it. Perhaps an --addsign?
> 

There's my mistake – all this time I've been signing them with a Sharpie felt 
tip pen. ;-)

http://kkeithle.fedorapeople.org/for_grant/ has signed el5 RPMs. They don't 
install for me on my CentOS 5.10 system, but you are welcome to try.

--

Kaleb


_______________________________________________
Gluster-users mailing list
Gluster-users at gluster.org
http://supercolony.gluster.org/mailman/listinfo/gluster-users


More information about the Gluster-users mailing list