nfpm: Signed RPMs failed to install via yum/dnf on RHEL7/CentOS7
Describe the bug
We are using the new RPM sign feature, and everything seems to work fine until installation.
Installation with yum:
Total download size: 4.5 M
Installed size: 12 M
Background downloading packages, then exiting:
error: /var/cache/yum/x86_64/7Server/linux-rpm-releases-local/packages/lslbgen-0.0.3.x86_64.rpm: Verify signature: BAD PARAMETERS (1002 0x31ecea0 72 (nil) 0x2bde520)
Problem opening package lslbgen-0.0.3.x86_64.rpm
lslbgen-0.0.3.x86_64.rpm
We get the error Verify signature: BAD PARAMETERS (1002 0x31ecea0 72 (nil) 0x2bde520)
If we inspect the package with rpm
everything seems ok:
rpm -K /var/cache/yum/x86_64/7Server/linux-rpm-releases-local/packages/lslbgen-0.0.3.x86_64.rpm -v
/var/cache/yum/x86_64/7Server/linux-rpm-releases-local/packages/lslbgen-0.0.3.x86_64.rpm:
V4 DSA/SHA256 Signature, key ID 499702cb: OK
We also tried with a RSA key and we get the same error.
With RHEL8 it is possible to install the package via yum/dnf without a problem.
To Reproduce
Build a signed RPM. Install the resulting package.
Expected behavior Installation should be possible.
Environment (please complete the following information):
uname -a
Linux 3.10.0-1160.2.2.el7.x86_64 goreleaser/goreleaser#1 SMP Sat Oct 17 05:06:47 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Additional context Add any other context about the problem here. Full output log with debug on is probably a helpful thing to add here.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 16 (11 by maintainers)
Commits related to this issue
- fix: ensure the rpm signature is properly validated fixes: https://github.com/goreleaser/nfpm/issues/265 — committed to djgilcrease/rpmpack by deleted user 4 years ago
- fix: ensure the rpm signature is properly validated fixes: https://github.com/goreleaser/nfpm/issues/265 — committed to phlax/rpmpack by deleted user 4 years ago
I also just wanted to mention that in general that generated package is strange and missing all manner of regular, important and even required tags. No released version of rpm produces packages like this.
For instance it’s missing SHA1HEADER and SIGMD5 tags, the latter being required by LSB for example. RHEL 7 rpm doesn’t support the SHA256 digests that are present in the package, and while the signature that is there is technically supported, it’s a header+payload signature which cannot be used during installation (rpmsign creates both a header-only and header+payload signatures), so there’s no supported means to verify it!
So just FYI.
Cisco.
So
nfpm
receives the data which needs to be signed from https://github.com/google/rpmpack and sends an armored detached signature created with/x/crypto/openpgp
back torpmpack
which then embeds it in therpm
.I can’t reproduce the behaviour with freshly generated keys. For me it just works on
centos7
andcentos8
. However, I used RSA keys and we also just test with RSA keys. The output of your last message shows that the package signed withrpm
was also signed with RSA keys and your broken packages was signed with DSA keys. I also found this serverfault thread that mentions thatrpm
can be picky with different key algorithms and key sizes https://serverfault.com/questions/624888/bad-signatures-or-nokey-errors-on-rpms-i-just-signed. So I guess the problem is your key.Could you please test it with an RSA key? I would also generally recommend not to use DSA keys anymore (read https://buttondown.email/cryptography-dispatches/archive/557475c5-9781-47e0-a640-5734bc849bc7 for more information).
If the key algorithm is indeed the problem, we should document it an check the key algorithm in
internal/sign
.I found some differences. The first one was signed with rpm on centos7, the second one with goreleaser:
Need to remove the replace once google/rpmpack#53 is merged… will leave this issue open until then 😃
Thanks @djgilcrease @erikgeiser @zbindenren 🚀
I think the issue could be fixed in nfpm. Changing the
PGPSigner
to use MD5 fixes the issue, which just tells me we are not setting a field properly to set the Algo used to verify the pgp. Will keep digging to see if I can find the field and value that needs to be set.