Bug 719154

Summary: rpmsign exits (mysteriously) with code 255 when using DSA key
Product: [Fedora] Fedora Reporter: BJ Dierkes <derks>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: anton, briemers, ffesti, jnovy, pmatilai
Target Milestone: ---Keywords: Upstream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 20:02:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description BJ Dierkes 2011-07-05 22:12:12 UTC 
Description of problem:

When using a DSA GPG key to sign a package in F15, rpmsign exits with code 
255 with no other errors/warnings/output.  The resulting package is also not
signed at all.

$ cat /etc/redhat-release 
Fedora release 15 (Lovelock)


$ rpmsign --version
RPM version 4.9.0


$ gpg --version
gpg (GnuPG) 1.4.11


How reproducible:

Every time


Steps to Reproduce:
1. Create a test GPG key using DSA
2. Add proper macros to ~/.rpmmacros for the key
3. Attempt to sign an rpm package


Actual results:

The package is not signed, no errors are produced, and rpmsign exits with code 255.


Expected results:

The package should be signed.


Additional info:

The following is a full proof of concept.

### GENERATE A TEST KEY

$ gpg --gen-key
# Answers to prompts follow:
#
#   Key type (2) DSA and Elgamal
#   Key size 2048
#   Key is valid for '0' (key does not expire)
#   Real name: John Doe
#   Email address: jdoe
#   Comment: None
#

$ gpg --list-secret-keys
/home/wdierkes/.gnupg/secring.gpg
---------------------------------

sec   2048D/E28D1405 2011-07-05
uid                  John Doe <jdoe>
ssb   2048g/10563A7E 2011-07-05


### EXPORTING HERE FOR FUTURE TESTING WITH SAME KEY

$ gpg --armor --export-secret-key E28D1405

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

lQNTBE4ThxsRCACqx3BgKgS1hl99ZkCPHm65RsEC/s0WBzxh/y6h4SRoPVUxXQpp
bUbgAnjYxZxY2HYM+9ViX0buZkpL/7qWPbyIi3eVY6l2/7OJCJe1Ej0UNRrGi4LA
CLmAgTX6gmGLZEdePnNqfeQG8TSdp//HmTXip09gtzvG+8/nCQ61EOkc7CrAEVt7
H/hOX5Z5wEzFjtwLCTBH+fg4Ym15kNUEYfyp0G8C9ywShZ1b9aLAm5U/QJk/Y2JC
Y8ejtD+o6A9uFo63x4rE3r6QxinQNDUca/IZxJDr/w31ZUO0f31YwuTUfxt8zOxy
oMdcsoqsp6doere0Gs1pyr9OhSIXfABfpVwnAQDP7BZxQkg5lUfpOe84shpqd1xK
LG8m3UEUL/7Y+oPcjQf+OfPrLUD8AEl9FzmM3oF4T/S2buwBaBx8Bwi01m1kzeJn
6b5uLDbLc3BYDbUqu5hrzOENkPmmbjvnD4ITJ1jHKnq++Wc9S3CVx52mAdGlNgY2
fOpbE29DmwyYd6pbnU5PyrsHXc2jd1DmI7sP3Bw8YlGpOERsWRGEcvOw71cX4/ld
e92XtOdVaKjuo2cH5iGrrIlESSF2QN58XDSKXgqBEx6Cqvun5Qdb41WwZZYz4sMd
z2kvkzNC0/+JH5ySe+Ii8orttLwD8hqx/YGtuCVnGV+PVrAorAwKva+Eh9S+9zTX
SFLNIZP0pC8uwomKzuuKQXtz7rbbWQ0hULwhofBf+gf8CJou93IhZKfIKPsKRJbb
GAj6/3fmjritxSIMRSsugeFMZnaiAwSXQVHR4vihlOOjJ9+f/fUr0uVLuHvr53xA
wWUICkmu9ITf3x/f+A+ie2GfWqv7gh3knHKncO/o9xmppybDeDMuS4042URfhpuY
Np3HYs4gxFp/QjJ8KsEWUI5lswDnPY5BJHP1xcZ2DS4rHPky+6Mwf9wn+zgNHKUs
6zjxOQ5+9tv69O3dQOkTrgBbVoUH4bQ4AmIeJWpB6dXvHfj7fpycuARbOOuUSjM6
y1ouBfNeeDxufwzgAW6ZjyKmOXQMor00/nl0b/XOg/kA7F8GWTAtELpda8cmT4Sq
jwAA/3DSMtUCQ0G8/SmNNNsB7fnU8VIN7P/7Xo9FQBLP96k6Emq0G0pvaG4gRG9l
IDxqZG9lQGV4YW1wbGUuY29tPoh6BBMRCAAiBQJOE4cbAhsDBgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRDiPFAl4o0UBbrFAQCf8e1DUG5YVDsjDe2FJBNrE5DE
AVYtv7VT+bOuqZCxTwD9FfgTLiQjxJ4+drzXxp3jyq3B8HoYB4R0EQpNsSRg6bOd
Aj0EThOHGxAIAM+rSwjzJns/ULjQATaMQ+lBOzhhny6aC+e5vwanRz6EUNgOh6ac
8fuZ78HG1Zqmy+AwXH9XVnq4isJVtEvxxVH6lgyb/7FxcHUV/rnNBejxA8PdZxrV
WqwV9fA/1IZIzT62cJ1CVq/GNNQEGCXX2G6u7ksHnPdMQKDHtdU1/TN1MmR9I+/o
F4buc3EjJpPGGo+uBARfx8Lc0h1Gg0ncF1gkCx4oo4BHqfM9Zc1a4a5lrzeg9lDf
u9vJ3jN8PfwhNUZ8vbGmy8e8yQ9J8kSCxT7wFb74MXsT5KhtERD29EH4ukL92nGb
xyHTmhHA3s11j47DKLJ00v24NrsBcN/ywEMAAwUIALNj1kCsPhak8JWjWk12sGvx
836GkA6N35UeFRQaTWXmlkL1NIMA1/aYiETixLu8S1ODKUvp78DiAClpOJlVFWgO
47pfi8liYiQufbSHsDTvlA4JLg9nAhug6xUVHobRfyQ6G4VHvvWirI5rW4f4DFHW
RwYN2QUjpI2zRn9UceQhMCpj/8Ez7i1h7K+/LN4089ZzWr5eUOLmZ5uHAh8bYlVg
/6q2SkZbgzWcysU41pIDPn/zwYFvNtdhmkafLBZ8TVyOoq+mKLj8WpotEzfBqRxZ
NFl9hb6pv8OSSeefAlLlavQNiyMLgMq4kLynMqK9fLx0ZXJ5UsNCGkhUg6WsyfMA
AVMGjeRVC/DOqdWJegBNXHPyyWY3kTymNwxq7WoOSOzw1iGg8N7Y+jhwiR1oFnSI
YQQYEQgACQUCThOHGwIbDAAKCRDiPFAl4o0UBbRJAQCPdluWuJYEEzCvsFxgTlqX
zJhf+fCQg5LM7Yiu6EsRWAD/VN8TCNDC48NXImby628JPp1S9o6smrpKBV4BXCal
7K4=
=5rZa
-----END PGP PRIVATE KEY BLOCK-----


$ gpg --armor --export E28D1405

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQMuBE4ThxsRCACqx3BgKgS1hl99ZkCPHm65RsEC/s0WBzxh/y6h4SRoPVUxXQpp
bUbgAnjYxZxY2HYM+9ViX0buZkpL/7qWPbyIi3eVY6l2/7OJCJe1Ej0UNRrGi4LA
CLmAgTX6gmGLZEdePnNqfeQG8TSdp//HmTXip09gtzvG+8/nCQ61EOkc7CrAEVt7
H/hOX5Z5wEzFjtwLCTBH+fg4Ym15kNUEYfyp0G8C9ywShZ1b9aLAm5U/QJk/Y2JC
Y8ejtD+o6A9uFo63x4rE3r6QxinQNDUca/IZxJDr/w31ZUO0f31YwuTUfxt8zOxy
oMdcsoqsp6doere0Gs1pyr9OhSIXfABfpVwnAQDP7BZxQkg5lUfpOe84shpqd1xK
LG8m3UEUL/7Y+oPcjQf+OfPrLUD8AEl9FzmM3oF4T/S2buwBaBx8Bwi01m1kzeJn
6b5uLDbLc3BYDbUqu5hrzOENkPmmbjvnD4ITJ1jHKnq++Wc9S3CVx52mAdGlNgY2
fOpbE29DmwyYd6pbnU5PyrsHXc2jd1DmI7sP3Bw8YlGpOERsWRGEcvOw71cX4/ld
e92XtOdVaKjuo2cH5iGrrIlESSF2QN58XDSKXgqBEx6Cqvun5Qdb41WwZZYz4sMd
z2kvkzNC0/+JH5ySe+Ii8orttLwD8hqx/YGtuCVnGV+PVrAorAwKva+Eh9S+9zTX
SFLNIZP0pC8uwomKzuuKQXtz7rbbWQ0hULwhofBf+gf8CJou93IhZKfIKPsKRJbb
GAj6/3fmjritxSIMRSsugeFMZnaiAwSXQVHR4vihlOOjJ9+f/fUr0uVLuHvr53xA
wWUICkmu9ITf3x/f+A+ie2GfWqv7gh3knHKncO/o9xmppybDeDMuS4042URfhpuY
Np3HYs4gxFp/QjJ8KsEWUI5lswDnPY5BJHP1xcZ2DS4rHPky+6Mwf9wn+zgNHKUs
6zjxOQ5+9tv69O3dQOkTrgBbVoUH4bQ4AmIeJWpB6dXvHfj7fpycuARbOOuUSjM6
y1ouBfNeeDxufwzgAW6ZjyKmOXQMor00/nl0b/XOg/kA7F8GWTAtELpda8cmT4Sq
j7QbSm9obiBEb2UgPGpkb2VAZXhhbXBsZS5jb20+iHoEExEIACIFAk4ThxsCGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOI8UCXijRQFusUBAJ/x7UNQblhU
OyMN7YUkE2sTkMQBVi2/tVP5s66pkLFPAP0V+BMuJCPEnj52vNfGnePKrcHwehgH
hHQRCk2xJGDps7kCDQROE4cbEAgAz6tLCPMmez9QuNABNoxD6UE7OGGfLpoL57m/
BqdHPoRQ2A6Hppzx+5nvwcbVmqbL4DBcf1dWeriKwlW0S/HFUfqWDJv/sXFwdRX+
uc0F6PEDw91nGtVarBX18D/UhkjNPrZwnUJWr8Y01AQYJdfYbq7uSwec90xAoMe1
1TX9M3UyZH0j7+gXhu5zcSMmk8Yaj64EBF/HwtzSHUaDSdwXWCQLHiijgEep8z1l
zVrhrmWvN6D2UN+728neM3w9/CE1Rny9sabLx7zJD0nyRILFPvAVvvgxexPkqG0R
EPb0Qfi6Qv3acZvHIdOaEcDezXWPjsMosnTS/bg2uwFw3/LAQwADBQgAs2PWQKw+
FqTwlaNaTXawa/HzfoaQDo3flR4VFBpNZeaWQvU0gwDX9piIROLEu7xLU4MpS+nv
wOIAKWk4mVUVaA7jul+LyWJiJC59tIewNO+UDgkuD2cCG6DrFRUehtF/JDobhUe+
9aKsjmtbh/gMUdZHBg3ZBSOkjbNGf1Rx5CEwKmP/wTPuLWHsr78s3jTz1nNavl5Q
4uZnm4cCHxtiVWD/qrZKRluDNZzKxTjWkgM+f/PBgW8212GaRp8sFnxNXI6ir6Yo
uPxami0TN8GpHFk0WX2Fvqm/w5JJ558CUuVq9A2LIwuAyriQvKcyor18vHRlcnlS
w0IaSFSDpazJ84hhBBgRCAAJBQJOE4cbAhsMAAoJEOI8UCXijRQFtEkBAJJNTGkY
UAcxZR3r9u2ZzVhbIUd/uBHqF6We9y8qqMFfAQCzIB6xKiFqfVuMvLZl22vvE+dF
wfXOq4bPj1rUlfTX4A==
=vc09
-----END PGP PUBLIC KEY BLOCK-----



### ADDED GPG NAME TO RPM MACROS FILE

$ cat ~/.rpmmacros
%_signature gpg
%_gpg_name John Doe <jdoe> 


### VERIFY EXISTING SIG OF A TEST PACKAGE

$ rpm -qip fedora-release-15-1.noarch.rpm | grep Signature
Signature   : RSA/SHA256, Wed 11 May 2011 03:26:54 AM CDT, Key ID b4ebf579069c8460


### REMOVE EXISTING SIG

$ rpmsign --delsign fedora-release-15-1.noarch.rpm 
fedora-release-15-1.noarch.rpm:

$ rpm -qip fedora-release-15-1.noarch.rpm | grep Signature
Signature   : (none)


### ADD OUR SIG

$ rpm --addsign fedora-release-15-1.noarch.rpm 
Enter pass phrase: 
Pass phrase is good.
fedora-release-15-1.noarch.rpm:


### FAIL BOAT - BUT NO ERRORS

$ echo $?
255

$ rpm -qip fedora-release-15-1.noarch.rpm | grep Signature
Signature   : (none)
Comment 1 BJ Dierkes 2011-07-05 22:15:38 UTC 
I forgot to note, I also verified successful signing using the same exact steps as above but by selecting 'RSA' when creating the GPG key instead of DSA... in which case the resulting test package *is* signed as expected, verified by looking at the Signature field of 'rpm -qip' of the test package.
Comment 2 Panu Matilainen 2011-07-12 12:35:57 UTC 
Right, there's a missing error message or two somewhere, but the underlying problem is that NSS doesn't support "extended DSA" from FIPS 186-3. In more practical terms, it means that rpm doesn't support DSA with > 1024 key sizes, whereas GPG apparently defaults to 2048bits nowadays.

Here's the NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=475578, doesn't seem to be a whole lot happening on it :-/

In the meanwhile, either limit the DSA key to 1024 bits or use RSA keys.
Comment 3 Panu Matilainen 2011-10-23 11:43:41 UTC 
*** Bug 748116 has been marked as a duplicate of this bug. ***
Comment 4 Panu Matilainen 2011-10-23 11:44:20 UTC 
Error message added upstream...
Comment 5 Fedora End Of Life 2012-08-07 20:02:24 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping