Project

Profile

Help

Issue #673

signed pulp RPMs do not validate as signed on RHEL5

Added by cduryee almost 7 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.6 Beta
Platform Release:
2.6.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Description of problem:

RHEL 5 systems are unable to verify the GPG signature of the 2.6 pulp RPMs. This does not affect RHEL6 or newer, or Fedora.

Version-Release number of selected component (if applicable): 2.6.0 beta 5

How reproducible: every time

Steps to Reproduce:
1. attempt to install client bits on rhel 5

Actual results: rpm signature errors. running "rpm -Kvv" will also show that the RPM's signature is invalid.

Expected results: no signature errors

Additional info:

There are a few bugs in RHEL 5's rpm signature checks that we need to work around. We need to create a new 2048 bit "signing-only" key with no subkeys, and also add the following to .rpmmacros when signing:

_gpg_sign_cmd %{_gpg}\
gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
--passphrase-fd 3 --no-secmem-warning -u "{_gpg_name}" \
-sbo %{__signature_filename} %{__plaintext_filename}

+ This bug was cloned from Bugzilla Bug #1184262 +

Associated revisions

Revision 85412155 View on GitHub
Added by jortel@redhat.com almost 7 years ago

Merge pull request #673 from jortel/fix-unit-tests

Ensure that logging is shutdown on test teardown.

History

#1 Updated by cduryee almost 7 years ago

Per triage discussion, we are going to update builder.py to not upload signed rhel5 rpms. This will also require the creation of a rhel5-pulp.repo file to ensure gpgcheck=0 is still set for el5, as well as an update to the install doc to call out this new repo file.

+ This comment was cloned from Bugzilla #1184262 comment 1 +

#3 Updated by cduryee almost 7 years ago

merged to 2.6-testing and higher

+ This comment was cloned from Bugzilla #1184262 comment 3 +

#4 Updated by cduryee almost 7 years ago

2.6.0-0.7.beta

+ This comment was cloned from Bugzilla #1184262 comment 4 +

#5 Updated by igulina@redhat.com almost 7 years ago

uname -r

2.6.18-398.el5xen

rpm -qa pulp*

#

tail -n 20 /etc/yum.repos.d/rhel-pulp.repo

gpgcheck=0

  1. Version 2.6 Testing Builds
    [pulp-2.6-testing]
    name=Pulp 2.6 Testing Builds
    baseurl=https://repos.fedorapeople.org/repos/pulp/pulp/testing/2.6/$releasever/$basearch/
    enabled=1
    skip_if_unavailable=1
    gpgcheck=1
    gpgkey=https://repos.fedorapeople.org/repos/pulp/pulp/GPG-RPM-KEY-pulp-2
  1. Version 2.6 Beta Builds
    [pulp-2.6-beta]
    name=Pulp 2.6 Beta Builds
    baseurl=https://repos.fedorapeople.org/repos/pulp/pulp/beta/2.6/$releasever/$basearch/
    enabled=1
    skip_if_unavailable=1
    gpgcheck=1
    gpgkey=https://repos.fedorapeople.org/repos/pulp/pulp/GPG-RPM-KEY-pulp-2

after building all rpms:

yum groupinstall pulp-consumer-qpid

...
Package pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5.noarch.rpm is not signed

changing gpgcheck to 0

vi /etc/yum.repos.d/rhel-pulp.repo
yum groupinstall pulp-consumer-qpid

....

ruby-augeas.x86_64 0:0.4.1-1.el5                                                                      
ruby-shadow.x86_64 0:1.4.1-7.el5                                                                      

Complete!

rpm -qa pulp*

pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5
pulp-agent-2.6.0-0.7.beta.el5
pulp-consumer-client-2.6.0-0.7.beta.el5
pulp-rpm-yumplugins-2.6.0-0.7.beta.el5
pulp-rpm-consumer-extensions-2.6.0-0.7.beta.el5
pulp-rpm-handlers-2.6.0-0.7.beta.el5
pulp-puppet-handlers-2.6.0-0.7.beta.el5

rpm -Kvv pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5

error: pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5: open failed: No such file or directory
D: May free Score board((nil))

yumdownloader pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5

Loaded plugins: amazon-id, fastestmirror, pulp-profile-update, rhui-lb
Loading mirror speeds from cached hostfile
* rhui-REGION-client-config-server-5: XXX
* rhui-REGION-rhel-server:XXX
Excluding Packages from Red Hat Enterprise Linux Server 5 (RPMs)
Finished
pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5.noarch.rpm | 23 kB 00:00

rpm -Kvv pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5.noarch.rpm

D: Expected size: 23444 = lead(96)+sigs(180)+pad(4)+data(23164)
D: Actual size: 23444
pulp-puppet-consumer-extensions-2.6.0-0.7.beta.el5.noarch.rpm:
Header SHA1 digest: OK (94262f20959e949e4c571fc80ece262bf246b1d3)
MD5 digest: OK (d123fb71bb66d18ce6e74b9b42e9dcf0)
D: May free Score board((nil))

+ This comment was cloned from Bugzilla #1184262 comment 5 +

#6 Updated by bmbouter almost 7 years ago

  • Severity changed from High to 3. High

#7 Updated by rbarlow over 6 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#9 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF