CentOS yum repository bad Header V4 RSA/SHA1 signature

centosgpgrepositoryrpmyum

I was coping with many problems to get stuck with this one.

I have installed yum repository on server (CentOS 5.6) with:

createrepo -v -s sha yumrepo/

sha is used due to solution to my earlier problem I have found: my reposistory was not accepted.
([Errno -3] Error performing checksum )

generated gpg key with:

gpg --gen-key

sign package with (package was not created on server):

rpm --addsign mypackage-1.0-1.i386.rpm

check if was signed properly:

rpm -vv --checksig mypackage-1.0-1.i386.rpm 
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Name rdonly mode=0x0
D:  read h#     205 Header sanity check: OK
D: added key gpg-pubkey-c105b9de-4e0fd3a3 to keyring
D:  read h#     313 Header sanity check: OK
D: added key gpg-pubkey-ebb3d90e-4ee5e6e8 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: Expected size:         3126 = lead(96)+sigs(528)+pad(0)+data(2502)
D:   Actual size:         3126
mypackage-1.0-1.i386.rpm:
    Header V4 RSA/SHA1 Signature, key ID ebb3d90e: OK
    Header SHA1 digest: OK (6d131be3c792fcc99da662f432c33facc86efc56)
    V4 RSA/SHA1 Signature, key ID ebb3d90e: OK
    MD5 digest: OK (76cfe98c4128d45da894a2b5b970e703)
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages

and exported my public key with:

gpg --armor --output MY-GPG-KEY --export 'MYNAME'

On client (CentOS 5.6 too) I have created file /etc/yum.repos.d/myrepo.repo with following content:

[myrepo]
name=myrepo
baseurl=https://login:pass@address.to.my.repo
enabled=1
gpgcheck=1
gpgkey=https://login:pass@address.to.my.repo/MY-GPG-KEY
protect=1

than as root I have run:

yum clean all
yum install mypackage

and get an error:

Downloading Packages:
mypackage-0.1-1.noarch.rpm                                | 3.0 kB     00:00     
error: rpmts_HdrFromFdno: Header V4 RSA/SHA1 signature: BAD, key ID ebb3d90e

While:

rpm -q gpg-pubkey
gpg-pubkey-e8562897-459f07a4
gpg-pubkey-217521f6-45e8a532
gpg-pubkey-ebb3d90e-4ee5e6e8

What should I do to have my package securely installed ?

Best Answer

Your answer is on this page : http://adminotes.blogspot.fr/2011/12/centos-6-rpm-sign-problem-v4-signatures.html

In summary, v4 signature are used by default in Centos 6, but Centos 5 only supports v3.

Adding --force-v3-sigs flag in your %__gpg_sign_cmd will makes it work.

Related Question