Bug 1271050
| Summary: | failure to sign rpm with "No secret key" error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | agilmore2 | ||||
| Component: | rpm | Assignee: | Packaging Maintenance Team <packaging-team-maint> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 22 | CC: | agilmore2, jzeleny, lkardos, mweetman, novyjindrich, packaging-team-maint, pknirsch, pmatilai, pwouters, sergio | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-12-18 07:57:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
agilmore2
2015-10-13 03:53:53 UTC
Is output of "gpg --list-secret-keys" from fedora or centos? Are you able to sign something using that key ("946C0054") directly with gpg? You can try that by executing following commands:
$ touch foo
$ gpg2 --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo
Bugzilla didn't post my comment from last week: I'm running rpm --resign to sign an rpm. The output from gpg --list-secret-keys is identical between fedora 22 and centos 7. No, gpg2 does not work. gpg does: $ touch foo $ gpg2 --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo gpg: skipped "946C0054": No secret key gpg: signing failed: No secret key $ gpg --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo You need a passphrase to unlock the secret key for user: "xxxx" 2048-bit RSA key, ID 946C0054, created 2015-10-12 $ ls foo* foo foo.sig $ ls -l foo* -rw-rw-r--. 1 xxx xxx 0 Oct 23 12:47 foo -rw-rw-r--. 1 xxx xxx 287 Oct 23 12:47 foo.sig OK, so gpg --import is not sufficient for the new rpm, we need gpg2 --import. Clue: $ gpg2 --list-secret-keys $ The gpg --import worked for the public key: $ gpg2 --list-keys /home/xxx/.gnupg/pubring.gpg --------------------------------- pub rsa2048/946C0054 2015-10-12 uid [ unknown] xxx sub rsa2048/2FE62301 2015-10-12 $ but the private key import using gpg version 1 didn't put the key somewhere that gpg2 and the new rpm could find it. After a gpg2 --import, rpm --resign worked as expected. Closing. Interesting because I was able to import key with gpg and then sign something with gpg2 and during the first run of gpg2 I saw a message about importing keys from gpg. So you can try to file a bug against gpg2. Same problem here. a gpg --export-secret-key followed by gpg2 --import fixed by issue. Even though i tried to tell .rpmmacros to use /usr/bin/gpg and not /usr/bin/gpg2 > After a gpg2 --import, rpm --resign worked as expected.
same here, thanks for the tip
I just ran into this issue today, so obviously not fixed. Installed a fresh F27, restored ~/.gunpg from backup and rpm signing fails. The 'gpg --export-secret-key gpg2 --import' workaround worked for me but I don't like having to remember esoteric fixes. Please let me know what info you need to troubleshoot thanks AFAICS this is not an rpm issue, it's a gnupg 1.x vs 2.x migration issue. If you restore ~/.gnupg from backup again, try signing something with 'gpg2' directly. I expect it to fail and require the same workaround. ...yup, see https://gnupg.org/faq/whats-new-in-2.1.html#nosecring and the same issue coming up with just gpg2 with a good explanation eg here: https://superuser.com/questions/1112673/gpg2-no-secret-key In other words, not a bug (at least in rpm) but a gnupg feature. |