Issue #8016
Signed rpm fixtures can't be generated on Fedora 31+
Description
Steps to reproduce¶
- Checkout the pulp-fixtures repo
- Install dependencies (
sudo dnf install -y createrepo gpg make rpm-build rpm-sign
) - Run
make fixtures/rpm-signed
You can also try running the rpm signing command manually:
rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm
This works on Fedora 30 but seems to fail on any Fedora after that:
/tmp/tmp.tLVWwh66sH/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: /home/daviddavis/Projects/pulp-fixtures/common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed
make: *** [Makefile:444: fixtures/rpm-signed] Error 123
Related issues
History
#1
Updated by daviddavis 2 months ago
I also tried to generate a new 4096 bit key and sign the file:
gpg --full-generate-key
gpg --output common/GPG-PRIVATE-KEY-pulp-qe --armor --export-secret-key pulp-dev@redhat.com
rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm
Which outputs the same error:
rpm/assets/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed
#2
Updated by daviddavis 2 months ago
- Description updated (diff)
#3
Updated by daviddavis 2 months ago
- Description updated (diff)
#4
Updated by daviddavis 2 months ago
- Related to Issue #7675: Seeing signing errors in CI builds of pulp-fixtures added
#5
Updated by ipanova@redhat.com 2 months ago
I would not know how to sign a package with gpg without importing the key to the keyring. We could (1) manage another keyring by creating a new keyring file in the temp dir and import the key there or (2) just import the key, sign and delete it.
I have read the rpm-sign manpage and from what i have understood, it provides package signing as well as package file signing. Package file signing happens only with the RSA key and that's the option fskpath
which i think we are misusing.
#6
Updated by dalley about 2 months ago
- Triaged changed from No to Yes
Please register to edit this issue