Created attachment 1082228 [details] pertinent portion of strace -f rpm --resign, conversation with gpg agent Description of problem: Fully updated Fedora 22 installation rpm --resign fails: gpg: skipped "946C0054": No secret key gpg: signing failed: No secret key Version-Release number of selected component (if applicable): 4.12.0.1-12 How reproducible: every time Steps to Reproduce: Follow one of many tutorials on rpm signing, http://fedoranews.org/tchung/gpg/ for example 1. Create gpg key 2. Add gpg id to .rpmmacros 3. run rpm --resign <rpm> Actual results: gpg: skipped "946C0054": No secret key gpg: signing failed: No secret key Expected results: Passphrase requested Additional info: Works fine on Centos 7 using the same commands that fail on F22: sudo yum install rpm-sign gpg --import GPG-KEY.private echo "%_signature gpg %_gpg_name 946C0054" >>.rpmmacros rpm --resign <package> Output of gpg commands: $ gpg --list-secret-keys /home/xxx/.gnupg/secring.gpg --------------------------------- sec 2048R/946C0054 2015-10-12 uid XXX ssb 2048R/2FE62301 2015-10-12 $ gpg --list-keys /home/xxx/.gnupg/pubring.gpg --------------------------------- pub 2048R/946C0054 2015-10-12 uid XXX sub 2048R/2FE62301 2015-10-12
Is output of "gpg --list-secret-keys" from fedora or centos? Are you able to sign something using that key ("946C0054") directly with gpg? You can try that by executing following commands: $ touch foo $ gpg2 --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo
Bugzilla didn't post my comment from last week: I'm running rpm --resign to sign an rpm. The output from gpg --list-secret-keys is identical between fedora 22 and centos 7.
No, gpg2 does not work. gpg does: $ touch foo $ gpg2 --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo gpg: skipped "946C0054": No secret key gpg: signing failed: No secret key $ gpg --no-verbose --no-armor --no-secmem-warning -u 946C0054 -sbo foo.sig foo You need a passphrase to unlock the secret key for user: "xxxx" 2048-bit RSA key, ID 946C0054, created 2015-10-12 $ ls foo* foo foo.sig $ ls -l foo* -rw-rw-r--. 1 xxx xxx 0 Oct 23 12:47 foo -rw-rw-r--. 1 xxx xxx 287 Oct 23 12:47 foo.sig
OK, so gpg --import is not sufficient for the new rpm, we need gpg2 --import. Clue: $ gpg2 --list-secret-keys $ The gpg --import worked for the public key: $ gpg2 --list-keys /home/xxx/.gnupg/pubring.gpg --------------------------------- pub rsa2048/946C0054 2015-10-12 uid [ unknown] xxx sub rsa2048/2FE62301 2015-10-12 $ but the private key import using gpg version 1 didn't put the key somewhere that gpg2 and the new rpm could find it. After a gpg2 --import, rpm --resign worked as expected. Closing.
Interesting because I was able to import key with gpg and then sign something with gpg2 and during the first run of gpg2 I saw a message about importing keys from gpg. So you can try to file a bug against gpg2.
Same problem here. a gpg --export-secret-key followed by gpg2 --import fixed by issue. Even though i tried to tell .rpmmacros to use /usr/bin/gpg and not /usr/bin/gpg2
> After a gpg2 --import, rpm --resign worked as expected. same here, thanks for the tip
I just ran into this issue today, so obviously not fixed. Installed a fresh F27, restored ~/.gunpg from backup and rpm signing fails. The 'gpg --export-secret-key gpg2 --import' workaround worked for me but I don't like having to remember esoteric fixes. Please let me know what info you need to troubleshoot thanks
AFAICS this is not an rpm issue, it's a gnupg 1.x vs 2.x migration issue. If you restore ~/.gnupg from backup again, try signing something with 'gpg2' directly. I expect it to fail and require the same workaround.
...yup, see https://gnupg.org/faq/whats-new-in-2.1.html#nosecring and the same issue coming up with just gpg2 with a good explanation eg here: https://superuser.com/questions/1112673/gpg2-no-secret-key In other words, not a bug (at least in rpm) but a gnupg feature.