Bug 1271050 - failure to sign rpm with "No secret key" error
failure to sign rpm with "No secret key" error
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: packaging-team-maint
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2015-10-12 23:53 EDT by agilmore2
Modified: 2017-12-18 02:57 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-12-18 02:57:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
pertinent portion of strace -f rpm --resign, conversation with gpg agent (3.45 KB, text/plain)
2015-10-12 23:53 EDT, agilmore2
no flags Details

  None (edit)
Description agilmore2 2015-10-12 23:53:53 EDT
Created attachment 1082228 [details]
pertinent portion of strace -f rpm --resign, conversation with gpg agent

Description of problem:
Fully updated Fedora 22 installation
rpm --resign fails:
gpg: skipped "946C0054": No secret key
gpg: signing failed: No secret key

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
Follow one of many tutorials on rpm signing, http://fedoranews.org/tchung/gpg/ for example
1. Create gpg key
2. Add gpg id to .rpmmacros
3. run rpm --resign <rpm>

Actual results:
gpg: skipped "946C0054": No secret key
gpg: signing failed: No secret key

Expected results:
Passphrase requested

Additional info:

Works fine on Centos 7 using the same commands that fail on F22:
sudo yum install rpm-sign
gpg --import GPG-KEY.private
echo "%_signature gpg
%_gpg_name 946C0054" >>.rpmmacros
rpm --resign <package>

Output of gpg commands:
$  gpg --list-secret-keys
sec   2048R/946C0054 2015-10-12
uid                  XXX
ssb   2048R/2FE62301 2015-10-12

$  gpg --list-keys
pub   2048R/946C0054 2015-10-12
uid                  XXX
sub   2048R/2FE62301 2015-10-12
Comment 1 Ľuboš Kardoš 2015-10-15 07:26:56 EDT
Is output of "gpg --list-secret-keys" from fedora or centos? Are you able to sign something using that key ("946C0054") directly with gpg? You can try that by executing following commands:

$ touch foo
$ gpg2 --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo
Comment 2 agilmore2 2015-10-23 14:43:29 EDT
Bugzilla didn't post my comment from last week:

I'm running rpm --resign to sign an rpm.

The output from gpg --list-secret-keys is identical between fedora 22 and centos 7.
Comment 3 agilmore2 2015-10-23 14:48:40 EDT
No, gpg2 does not work.

gpg does:

$ touch foo
$ gpg2 --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo
gpg: skipped "946C0054": No secret key
gpg: signing failed: No secret key
$ gpg --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo

You need a passphrase to unlock the secret key for
user: "xxxx"
2048-bit RSA key, ID 946C0054, created 2015-10-12

$ ls foo*
foo  foo.sig
$ ls -l foo*
-rw-rw-r--. 1 xxx xxx   0 Oct 23 12:47 foo
-rw-rw-r--. 1 xxx xxx 287 Oct 23 12:47 foo.sig
Comment 4 agilmore2 2015-10-23 14:56:39 EDT
OK, so gpg --import is not sufficient for the new rpm, we need gpg2 --import.

$ gpg2 --list-secret-keys

The gpg --import worked for the public key:
$ gpg2 --list-keys
pub   rsa2048/946C0054 2015-10-12
uid         [ unknown] xxx
sub   rsa2048/2FE62301 2015-10-12


but the private key import using gpg version 1 didn't put the key somewhere that gpg2 and the new rpm could find it.

After a gpg2 --import, rpm --resign worked as expected.

Comment 5 Ľuboš Kardoš 2015-10-26 05:04:26 EDT
Interesting because I was able to import key with gpg and then sign something with gpg2 and during the first run of gpg2 I saw a message about importing keys from gpg. So you can try to file a bug against gpg2.
Comment 6 Paul Wouters 2015-12-20 17:06:54 EST
Same problem here. a gpg --export-secret-key followed by gpg2 --import fixed by issue. Even though i tried to tell .rpmmacros to use /usr/bin/gpg and not /usr/bin/gpg2
Comment 7 Sergio Monteiro Basto 2016-05-21 03:10:43 EDT
> After a gpg2 --import, rpm --resign worked as expected.

same here, thanks for the tip
Comment 8 Morgan Weetman 2017-12-18 02:09:02 EST
I just ran into this issue today, so obviously not fixed. 

Installed a fresh F27, restored ~/.gunpg from backup and rpm signing fails.

The 'gpg --export-secret-key gpg2 --import' workaround worked for me but I don't like having to remember esoteric fixes.

Please let me know what info you need to troubleshoot

Comment 9 Panu Matilainen 2017-12-18 02:50:15 EST
AFAICS this is not an rpm issue, it's a gnupg 1.x vs 2.x migration issue.

If you restore ~/.gnupg from backup again, try signing something with 'gpg2' directly. I expect it to fail and require the same workaround.
Comment 10 Panu Matilainen 2017-12-18 02:57:42 EST
...yup, see https://gnupg.org/faq/whats-new-in-2.1.html#nosecring and the same issue coming up with just gpg2 with a good explanation eg here: https://superuser.com/questions/1112673/gpg2-no-secret-key

In other words, not a bug (at least in rpm) but a gnupg feature.

Note You need to log in before you can comment on or make changes to this bug.