Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1212416

Summary: Client RPMs in EL5 channel have a broken/unrecognized signature: BAD
Product: [Community] Spacewalk Reporter: Peter Bieringer <pb>
Component: ClientsAssignee: Grant Gainey <ggainey>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.3CC: ggainey
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-21 18:21:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1484117    

Description Peter Bieringer 2015-04-16 11:26:15 UTC 
Description of problem:
new published client RPMs can't be installed on EL5 system because of broken signature

Version-Release number of selected component (if applicable):
osad-5.11.57-1.el5.noarch.rpm
(and others)

How reproducible:
always

Steps to Reproduce:
1. download //spacewalk.redhat.com/yum/2.3-client/RHEL/5/i386/osad-5.11.57-1.el5.noarch.rpm
2. try to install

Actual results:
# rpm -Uhv --test /tmp/osad-5.11.57-1.el5.noarch.rpm
error: /tmp/osad-5.11.57-1.el5.noarch.rpm: Header V4 RSA/SHA1 signature: BAD, key ID 066e5810
error: /tmp/osad-5.11.57-1.el5.noarch.rpm cannot be installed


Expected results:
Working install


Additional info:

something changed in the the signature:

osad-5.11.33-1.el5.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 863a853d
osad-5.11.43-1.el5.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID 863a853d

osad-5.11.57-1.el5.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 066e5810
-> has RSA instead of DSA and also the new Spacewalk key

was MD5 selected during signing packets for EL5 channels?
Comment 1 Grant Gainey 2015-04-17 13:34:54 UTC 
Well...ugh. The -2016 (v4, RSA) signing key is not compatible with RHEL5 GPG.

We will fix this by creating a new (RHEL5-compatible) key and re-signing the RHEL5-client-repos. Will update the BZ when that's done.
Comment 2 Grant Gainey 2015-04-17 14:01:09 UTC 
[NB: replace "-2016" in c#1 with "-2014"]

As a (very temporary) workaround, you can specify

yum --nogpgcheck 

or set

gpgcheck=0

in /etc/yum.repos.d/spacewalk-client.repo. 

Using rpm, specify --nosignature.
Comment 3 Peter Bieringer 2015-04-18 05:43:04 UTC 
Try this in your .rpmmacros:

%__gpg_sign_cmd                 %{__gpg} \
        gpg --batch --no-verbose --no-armor --passphrase-fd 3 --force-v3-sigs --no-secmem-warning \
        -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
Comment 4 Grant Gainey 2015-04-21 18:21:07 UTC 
Thanks - we ended up generating a new RPM-GPG-KEY, the 2048/RSA of 2014 was (part of) the problem. (In addition, I ended up with .rpmmacros almost exactly the same as you mention before seeing your comment; clearly we were on the same track :) )

SPACEWALK-2.3 RHEL5 client-pieces have been signed with the new RHEL5-compatible key, and should work for you now.

You will want to install the new version of the spacewalk-client-repo.rpm:

# rpm -Uvh http://yum.spacewalkproject.org/2.3-client/RHEL/5/x86_64/spacewalk-client-repo-2.3-3.el5.noarch.rpm

Or, you may import the new public-key directly:

# wget http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2015
# rpm --import RPM-GPG-KEY-spacewalk-2015

Thanks for the catch!
Comment 5 Eric Herget 2017-09-28 18:08:59 UTC 
This BZ closed some time during 2.5, 2.6 or 2.7.  Adding to 2.7 tracking bug.