Issue #8016
closedSigned rpm fixtures can't be generated on Fedora 31+
Description
Ticket moved to GitHub: "pulp/pulp_rpm/2262":https://github.com/pulp/pulp_rpm/issues/2262
Steps to reproduce¶
- Checkout the pulp-fixtures repo
- Install dependencies (
sudo dnf install -y createrepo gpg make rpm-build rpm-sign
) - Run
make fixtures/rpm-signed
You can also try running the rpm signing command manually:
rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm
This works on Fedora 30 but seems to fail on any Fedora after that:
/tmp/tmp.tLVWwh66sH/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: /home/daviddavis/Projects/pulp-fixtures/common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed
make: *** [Makefile:444: fixtures/rpm-signed] Error 123
Related issues
Updated by daviddavis over 2 years ago
I also tried to generate a new 4096 bit key and sign the file:
gpg --full-generate-key
gpg --output common/GPG-PRIVATE-KEY-pulp-qe --armor --export-secret-key pulp-dev@redhat.com
rpmsign --define '_gpg_name Pulp QE' --addsign --fskpath common/GPG-PRIVATE-KEY-pulp-qe --signfiles rpm/assets/bear-4.1-1.noarch.rpm
Which outputs the same error:
rpm/assets/bear-4.1-1.noarch.rpm:
hash(sha1): 5938462bfd4a5d750e0851f5b82f3ade
Failed to PEM_read_PrivateKey key file: common/GPG-PRIVATE-KEY-pulp-qe
openssl: error:0908F066:PEM routines:get_header_and_data:bad end line
error: sign_hash failed
error: signFile failed
Updated by daviddavis over 2 years ago
- Related to Issue #7675: Seeing signing errors in CI builds of pulp-fixtures added
Updated by ipanova@redhat.com about 2 years ago
I would not know how to sign a package with gpg without importing the key to the keyring. We could (1) manage another keyring by creating a new keyring file in the temp dir and import the key there or (2) just import the key, sign and delete it.
I have read the rpm-sign manpage and from what i have understood, it provides package signing as well as package file signing. Package file signing happens only with the RSA key and that's the option fskpath
which i think we are misusing.
Updated by pulpbot over 1 year ago
- Description updated (diff)
- Status changed from NEW to CLOSED - DUPLICATE