I'm not so sure but rpm is probably not able to pgp-sign with pgp 5.0. Following message is what I did and got: ---------------------------------------------------------- rpm -vv --resign netatalk-1.4b2+asun2.1.3-3.i386.rpm Enter pass phrase: PGP is now invoked from different executables for different operations: pgpe Encrypt (including Encrypt/Sign) pgps Sign pgpv Verify/Decrypt pgpk Key management pgpo PGP 2.6.2 command-line simulator (not yet implemented) See each application's respective man page or the general PGP documentation for more information. Pass phrase check failed ---------------------------------------------------------- I think this means rpm runs 'pgp' not 'pgps'... (I introduced pgp-5.0i-1.i386.rpm from http://www.pgpi.com/.
PGP 5.0 has been added to rpm-3.0, but there is yet to be a single signed package distributed with PGP 5.0. For backward compatibility with older rpm's without support for PGP 5.0, you should probably sign packages with pgp-2.6.3 from ftp.replay.com. That's what we use to sign packages at Red Hat ... Meanwhile, thanks for the bug report.
I believe this problem occurs when both pgp2.6.3 and pgp5 are installed. In that case, pgp5 rather than pgp2.6.3 was preferred. I've modified the behavior or rpm to prefer pgp2.6.3 over pgp5 in rpm-3.0.1-5. Meanwhile, the original bug report claimed that the wrong executable would be invoked for pgp5. That is not the case.