Short tip: create RPM GPG key for EL5 and 6
If you want to create and sign RPM packages for Enterprise Linux 5 and 6 you will have to consider some things while creating and using the GPG key so that EL5 systems can also use the signed packages.
If you create a GPG key using the standard settings and sign a RPM package under EL6 you will get the following error on EL5 systems:
1# rpm -v --checksig mypackage.rpm
2Header V4 RSA/SHA1 signature: BAD, key ID xxxxxxxx
In a blog article I found a very useful hint that RPM/GPG is not able to deal with OpenPGP V4 signatures. It is required to use the older signature V3 here.
Basically it is recommended to sign EL5 packages with at most 2048-bit RSA - you need to consider this while creating the GPG key.
1$ gpg --gen-key
2...
3Please select what kind of key you want:
4 (1) RSA and RSA (default)
5 (2) DSA and Elgamal
6 (3) DSA (sign only)
7 (4) RSA (sign only)
8Your selection? 1
9RSA keys may be between 1024 and 4096 bits long.
10What keysize do you want? (2048) 2048
11Requested keysize is 2048 bits
12PPlease specify how long the key should be valid.
13 0 = key does not expire
14 = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years
15Key is valid for? (0) 0
16Key does not expire at all
17Is this correct (y/n)? y
18
19GnuPG needs to construct a user ID to identify your key.
20
21Real name: Max Mustermann RPM signing key
22Email address: max@mmuster.de
23Comment: RPM signing key
24You selected this USER-ID:
25 "Max Mustermann RPM signing key (RPM signing key) "
26
27Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
28...
29
30$ gpg --export -a 'Max Mustermann RPM signing key (RPM signing key) ' > RPM-GPG-KEY-mmuster
By the way - it is not recommended to create the key in a su
/ sudo
session becuase this will fail.
After creating the GPG keys you need to alter the file ~/.rpmmacros
if you sign your packages on a EL6 system - like in my case. On EL6 systems a V4 signature is used by default - this needs to be disabled:
1$ vi .rpmmacros
2%_signature gpg
3%_gpg_name Max Mustermann RPM signing key (RPM signing key)
4%__gpg_sign_cmd %{__gpg}
5 gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor
6 --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}"
7 -sbo %{__signature_filename} %{__plaintext_filename}
If you don't know your GPG key name you might want to have a look at the output of the following command:
1pub xxxxD/xxxxxxxx 2014-02-06
2uid Max Mustermann RPM signing key (RPM signing key)
3sub xxxxg/xxxxxxxx 2014-02-06
After signing the RPM package the signature should also be recognizable on EL5 systems:
1EL6 $ rpm --resign mypackage.rpm
2EL6 $ scp mypackage.rpm ...
3EL5 $ rpm -v --checksig mypackage.rpm
4 Header V3 DSA signature: OK, key ID xxxxxxxx
5 Header SHA1 digest: OK (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
6 MD5 digest: OK (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
7 V3 DSA signature: OK, key ID xxxxxxxx
🙂