Signing an RPM package with a DSA key appears to be successful, but generates an RPM with an unverifiable signature.
CentOS 7 (RPM version 4.11.3):
error: skipping package <package> with unverifiable signature
CentOS 6 (RPM version 4.8.0):
error: skipping package <package> with unverifiable v4 signature
There doesn't seem to be any support in Redline for signing with a DSA key, but neither does the tool fail or even give a warning if the algorithm of the key is not supported.
From my cursory inspection of the code, it looks like the key is passed off to bouncycastle code to generate the signatures, but then added to the RPM in PGP and RSA headers (SignatureGenerator.prepare() method).
Are there any plans to support DSA keys? Or should a check be added to throw an exception if the key is DSA?
Signing an RPM package with a DSA key appears to be successful, but generates an RPM with an unverifiable signature. CentOS 7 (RPM version 4.11.3):
error: skipping package <package> with unverifiable signatureCentOS 6 (RPM version 4.8.0):error: skipping package <package> with unverifiable v4 signatureThere doesn't seem to be any support in Redline for signing with a DSA key, but neither does the tool fail or even give a warning if the algorithm of the key is not supported.
From my cursory inspection of the code, it looks like the key is passed off to bouncycastle code to generate the signatures, but then added to the RPM in PGP and RSA headers (
SignatureGenerator.prepare()method).Are there any plans to support DSA keys? Or should a check be added to throw an exception if the key is DSA?