Problem Description ------------------- > 1. Time and date of problem: Key verification fails at the installation of a package from the VMWare repository. > 2. System architecture(s): i686 > 3. Provide a clear and concise problem description as it is understood at the > time of escalation. PGP key from the VMWare repository is not verified correctly by RPM when installing a package. $ rpm --import http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub $ rpm -Kv http://packages.vmware.com/tools/esx/3.5u4/rhel4/i686/vmware-tools-7.4.7-158874.171375.el4.i686.rpm > Observed behavior: V3 RSA/MD5 signature: NOKEY, key ID 66fd4949 Header SHA1 digest: OK (4a53b01f1ca7eed4cb984b0407a45605a3a4f2b3) V3 RSA/MD5 signature: NOKEY, key ID 66fd4949 MD5 digest: OK (9a303bd51496632db5969e31f79ece9f) > Desired behavior: Header V3 RSA/SHA1 signature: OK, key ID 66fd4949 Header SHA1 digest: OK (4a53b01f1ca7eed4cb984b0407a45605a3a4f2b3) V3 RSA/SHA1 signature: OK, key ID 66fd4949 MD5 digest: OK (9a303bd51496632db5969e31f79ece9f) > 4. Specific action requested of SEG: Help in the investigation of this issue. Determining whether this should be fixed in RHEL4. > 5. Is a defect (bug) in the product suspected? Yes. It seems not to be BZ#493777, the fingerprint on RHEL4 is correct as seen in 'Relevant data found' > 6. Does a proposed patch exist? yes/no Maybe related in FC12's `rpm -q --changelog rpm`: * Thu May 14 2009 Panu Matilainen <pmatilai> - 4.7.0-4 [...] - fix pgp pubkey signature tag parsing > 7. What is the impact to the customer when they experience this problem? "This customer has a large number of RHEL4 systems (~1300) running on VMware ESX 3.5, which are managed by multiple Satellites. We are trying to clean up the environments to avoid bad practices like "up2date --nosig" in %post scripts. Disabling package signatures is not an option in the environment we're working in." Supporting Information ---------------------- > 1. Other actions already taken in working the problem (tech-list posting, google > searches, fulltext search, consultation with another engineer, etc.): Played the scenario under RHEL5 and FC12, the problem does not occur (GPG keys are validated). > Relevant data found (if any): $ rpm -qa | grep gpg-pubkey-66fd4949 gpg-pubkey-66fd4949-4803fe57 $ rpm -qi gpg-pubkey-66fd4949-4803fe57 Name : gpg-pubkey Relocations: (not relocatable) Version : 66fd4949 Vendor: (none) Release : 4803fe57 Build Date: Wed 03 Feb 2010 03:35:02 AM EST Install Date: Wed 03 Feb 2010 03:35:02 AM EST Build Host: localhost Group : Public Keys Source RPM: (none) Size : 0 License: pubkey Signature : (none) Summary : gpg(VMware, Inc. -- Linux Packaging Key -- <linux-packages>) Description : -----BEGIN PGP PUBLIC KEY BLOCK----- Version: rpm-4.3.3 (beecrypt-3.0.0) mI0ESAP+VwEEAMZylR8dOijUPNn3He3GdgM/kOXEhn3uQl+sRMNJUDm1qebi2D5bQa7GNBIl Xm3DEMAS+ZlkiFQ4WnhUq5awEXU7MGcWCEGfums5FckV2tysSfn7HeWd9mkEnsY2CUZF54ly KfY0f+vdFd6QdYo6b+YxGnLyiunEYHXSEo1TNj1vABEBAAG0QlZNd2FyZSwgSW5jLiAtLSBM aW51eCBQYWNrYWdpbmcgS2V5IC0tIDxsaW51eC1wYWNrYWdlc0B2bXdhcmUuY29tPoi8BBMB AgAmBQJIA/5XAhsDBQkRcu4ZBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQwLXgq2b9SUkw 0AP/UlmWQIjMNcYfTKCOOyFxCsl3bY5OZ6HZs4qCRvzESVTyKs0YN1gX5YDDRmE5EbaqSO7O LriA7p81CYhstYIDGjVTBqH/zJz/DGKQUv0A7qGvnX4MDt/cvvgEXjGpeRx42le/mkPsHdwb G/8jKveYS/eu0g9IenS49i0hcOnjShGIRgQQEQIABgUCSAQWfAAKCRD1ZoIQEyn810LTAJ9k IOziCqa/awfBvlLq4eRgN/NnkwCeJLOuL6eAueYjaODTcFEGKUXlgM4= =bXtp -----END PGP PUBLIC KEY BLOCK----- > 2. Attach sosreport. See attachment. > 3. Attach other supporting data (if any). None needed. > 4. Provide issue reproduction information, including location and access of > reproducer machine, if available. > Location and access information for reproducer machine: > Steps to reproduce the problem: 1. Install a RHEL4.4 machine 2. Execute as root: rpm --import http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub rpm -Kv http://packages.vmware.com/tools/esx/3.5u4/rhel4/i686/vmware-tools-7.4.7-158874.171375.el4.i686.rpm
The problem is that rpm in RHEL4 has never supported RSA/SHA1 singnatures. This was only added in rpm-4.4.2.
Having the same issue with a big retail Australian customer on 800 systems. Trying to deploy RHEL 4.8 AS x86_64 on VMware ESX 3.5 with RPM packages from http://packages.vmware.com/tools/esx/4.0u2/rhel4/x86_64/index.html What's the go here: disable GPG checking for the whole system ? Not being able to install vmware-tools automagically via the activation key makes it an issue as when the system reboots, the vmware network interface doesn't work. Cheers, - Aurelien.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
As noted here already, RHEL 4 never supported RSA/SHA* signatures. New features are not going to be added at this point of RHEL 4 lifecycle. VMware should provide RHEL 4-compatible packages in their RHEL 4 repository, this includes using supported signature types.