Project

Profile

Help

Issue #8016

Signed rpm fixtures can't be generated on Fedora 31+

Added by daviddavis 2 months ago. Updated about 2 months ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Steps to reproduce

  1. Checkout the pulp-fixtures repo
  2. Install dependencies (sudo dnf install -y createrepo gpg make rpm-build rpm-sign)
  3. Run make fixtures/rpm-signed

You can also try running the rpm signing command manually:

rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm

This works on Fedora 30 but seems to fail on any Fedora after that:

/tmp/tmp.tLVWwh66sH/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: /home/daviddavis/Projects/pulp-fixtures/common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed
make: *** [Makefile:444: fixtures/rpm-signed] Error 123

Related issues

Related to Pulp - Issue #7675: Seeing signing errors in CI builds of pulp-fixturesCLOSED - WONTFIX<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by daviddavis 2 months ago

I also tried to generate a new 4096 bit key and sign the file:

gpg --full-generate-key
gpg --output common/GPG-PRIVATE-KEY-pulp-qe --armor --export-secret-key pulp-dev@redhat.com
rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm

Which outputs the same error:

rpm/assets/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed

#2 Updated by daviddavis 2 months ago

  • Description updated (diff)

#3 Updated by daviddavis 2 months ago

  • Description updated (diff)

#4 Updated by daviddavis 2 months ago

  • Related to Issue #7675: Seeing signing errors in CI builds of pulp-fixtures added

#5 Updated by ipanova@redhat.com 2 months ago

I would not know how to sign a package with gpg without importing the key to the keyring. We could (1) manage another keyring by creating a new keyring file in the temp dir and import the key there or (2) just import the key, sign and delete it.

I have read the rpm-sign manpage and from what i have understood, it provides package signing as well as package file signing. Package file signing happens only with the RSA key and that's the option fskpath which i think we are misusing.

#6 Updated by dalley about 2 months ago

  • Triaged changed from No to Yes

Please register to edit this issue

Also available in: Atom PDF