Project

Profile

Help

Issue #8016

closed

Signed rpm fixtures can't be generated on Fedora 31+

Added by daviddavis over 3 years ago. Updated over 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_rpm/2262":https://github.com/pulp/pulp_rpm/issues/2262


Steps to reproduce

  1. Checkout the pulp-fixtures repo
  2. Install dependencies (sudo dnf install -y createrepo gpg make rpm-build rpm-sign)
  3. Run make fixtures/rpm-signed

You can also try running the rpm signing command manually:

rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm

This works on Fedora 30 but seems to fail on any Fedora after that:

/tmp/tmp.tLVWwh66sH/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: /home/daviddavis/Projects/pulp-fixtures/common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed
make: *** [Makefile:444: fixtures/rpm-signed] Error 123

Related issues

Related to Pulp - Issue #7675: Seeing signing errors in CI builds of pulp-fixturesCLOSED - WONTFIXActions
Actions #1

Updated by daviddavis over 3 years ago

I also tried to generate a new 4096 bit key and sign the file:

gpg --full-generate-key
gpg --output common/GPG-PRIVATE-KEY-pulp-qe --armor --export-secret-key pulp-dev@redhat.com
rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm

Which outputs the same error:

rpm/assets/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed
Actions #2

Updated by daviddavis over 3 years ago

  • Description updated (diff)
Actions #3

Updated by daviddavis over 3 years ago

  • Description updated (diff)
Actions #4

Updated by daviddavis over 3 years ago

  • Related to Issue #7675: Seeing signing errors in CI builds of pulp-fixtures added
Actions #5

Updated by ipanova@redhat.com about 3 years ago

I would not know how to sign a package with gpg without importing the key to the keyring. We could (1) manage another keyring by creating a new keyring file in the temp dir and import the key there or (2) just import the key, sign and delete it.

I have read the rpm-sign manpage and from what i have understood, it provides package signing as well as package file signing. Package file signing happens only with the RSA key and that's the option fskpath which i think we are misusing.

Actions #6

Updated by dalley about 3 years ago

  • Triaged changed from No to Yes
Actions #7

Updated by pulpbot over 2 years ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF