1212416 – Client RPMs in EL5 channel have a broken/unrecognized signature: BAD

Bug 1212416 - Client RPMs in EL5 channel have a broken/unrecognized signature: BAD

Summary: Client RPMs in EL5 channel have a broken/unrecognized signature: BAD

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Clients
Sub Component:
Version:	2.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Grant Gainey
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	space27
TreeView+	depends on / blocked

Reported:	2015-04-16 11:26 UTC by Peter Bieringer
Modified:	2017-09-28 18:08 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-04-21 18:21:07 UTC
Embargoed:

Attachments	(Terms of Use)

Description Peter Bieringer 2015-04-16 11:26:15 UTC

Description of problem:
new published client RPMs can't be installed on EL5 system because of broken signature

Version-Release number of selected component (if applicable):
osad-5.11.57-1.el5.noarch.rpm
(and others)

How reproducible:
always

Steps to Reproduce:
1. download //spacewalk.redhat.com/yum/2.3-client/RHEL/5/i386/osad-5.11.57-1.el5.noarch.rpm
2. try to install

Actual results:
# rpm -Uhv --test /tmp/osad-5.11.57-1.el5.noarch.rpm
error: /tmp/osad-5.11.57-1.el5.noarch.rpm: Header V4 RSA/SHA1 signature: BAD, key ID 066e5810
error: /tmp/osad-5.11.57-1.el5.noarch.rpm cannot be installed


Expected results:
Working install


Additional info:

something changed in the the signature:

osad-5.11.33-1.el5.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 863a853d
osad-5.11.43-1.el5.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID 863a853d

osad-5.11.57-1.el5.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 066e5810
-> has RSA instead of DSA and also the new Spacewalk key

was MD5 selected during signing packets for EL5 channels?

Comment 1 Grant Gainey 2015-04-17 13:34:54 UTC

Well...ugh. The -2016 (v4, RSA) signing key is not compatible with RHEL5 GPG.

We will fix this by creating a new (RHEL5-compatible) key and re-signing the RHEL5-client-repos. Will update the BZ when that's done.

Comment 2 Grant Gainey 2015-04-17 14:01:09 UTC

[NB: replace "-2016" in c#1 with "-2014"]

As a (very temporary) workaround, you can specify

yum --nogpgcheck 

or set

gpgcheck=0

in /etc/yum.repos.d/spacewalk-client.repo. 

Using rpm, specify --nosignature.

Comment 3 Peter Bieringer 2015-04-18 05:43:04 UTC

Try this in your .rpmmacros:

%__gpg_sign_cmd                 %{__gpg} \
        gpg --batch --no-verbose --no-armor --passphrase-fd 3 --force-v3-sigs --no-secmem-warning \
        -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}

Comment 4 Grant Gainey 2015-04-21 18:21:07 UTC

Thanks - we ended up generating a new RPM-GPG-KEY, the 2048/RSA of 2014 was (part of) the problem. (In addition, I ended up with .rpmmacros almost exactly the same as you mention before seeing your comment; clearly we were on the same track :) )

SPACEWALK-2.3 RHEL5 client-pieces have been signed with the new RHEL5-compatible key, and should work for you now.

You will want to install the new version of the spacewalk-client-repo.rpm:

# rpm -Uvh http://yum.spacewalkproject.org/2.3-client/RHEL/5/x86_64/spacewalk-client-repo-2.3-3.el5.noarch.rpm

Or, you may import the new public-key directly:

# wget http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2015
# rpm --import RPM-GPG-KEY-spacewalk-2015

Thanks for the catch!

Comment 5 Eric Herget 2017-09-28 18:08:59 UTC

This BZ closed some time during 2.5, 2.6 or 2.7.  Adding to 2.7 tracking bug.

Note You need to log in before you can comment on or make changes to this bug.