Short tip: create RPM GPG key for EL5 and 6

If you want to create and sign RPM packages for Enterprise Linux 5 and 6 you will have to consider some things while creating and using the GPG key so that EL5 systems can also use the signed packages.

If you create a GPG key using the standard settings and sign a RPM package under EL6 you will get the following error on EL5 systems:

# rpm -v --checksig mypackage.rpm
Header V4 RSA/SHA1 signature: BAD, key ID xxxxxxxx

In a blog article I found a very useful hint that RPM/GPG is not able to deal with OpenPGP V4 signatures. It is required to use the older signature V3 here.

Basically it is recommended to sign EL5 packages with at most 2048-bit RSA – you need to consider this while creating the GPG key.

$ gpg --gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
PPlease specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y

GnuPG needs to construct a user ID to identify your key.

Real name: Max Mustermann RPM signing key
Email address:
Comment: RPM signing key
You selected this USER-ID:
    "Max Mustermann RPM signing key (RPM signing key) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
$ gpg --export -a 'Max Mustermann RPM signing key (RPM signing key) ' > RPM-GPG-KEY-mmuster

By the way – it is not recommended to create the key in a su / sudo session becuase this will fail.

After creating the GPG keys you need to alter the file ~/.rpmmacros if you sign your packages on a EL6 system – like in my case. On EL6 systems a V4 signature is used by default – this needs to be disabled:

$ vi .rpmmacros
%_signature gpg
%_gpg_name Max Mustermann RPM signing key (RPM signing key) 
%__gpg_sign_cmd %{__gpg} 
    gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor 
    --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" 
    -sbo %{__signature_filename} %{__plaintext_filename}

If you don’t know your GPG key name you might want to have a look at the output of the following command:

pub   xxxxD/xxxxxxxx 2014-02-06
uid                  Max Mustermann RPM signing key (RPM signing key) 
sub   xxxxg/xxxxxxxx 2014-02-06

After signing the RPM package the signature should also be recognizable on EL5 systems:

EL6 $ rpm --resign mypackage.rpm
EL6 $ scp mypackage.rpm ...
EL5 $ rpm -v --checksig mypackage.rpm
    Header V3 DSA signature: OK, key ID xxxxxxxx
    Header SHA1 digest: OK (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
    MD5 digest: OK (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
    V3 DSA signature: OK, key ID xxxxxxxx


Leave a Reply