Signed RPM failed to install using `dnf` on RHEL8 and RHEL9

ctron / rpm-builder

Maven RPM builder plugin

https://ctron.github.io/rpm-builder

Eclipse Public License 2.0

56 stars 32 forks source link

Signed RPM failed to install using `dnf` on RHEL8 and RHEL9 #64

Closed ctron closed 2 years ago

ctron commented 2 years ago

reported by: @tobias1703

A package that is signed, can be successfully verified on RHEL7, 8, 9 (using rpm -K), but when creating a YUM repository using createrepo, it fails to install on RHEL 8 and 9 with the following error:

Package test.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Reproducer: https://github.com/tobias1703/rpm-builder-test

Remaining tasks:

[x] https://github.com/eclipse/packager/issues/42 - so that rpmkeys finds the V3 header
[x] https://github.com/eclipse/packager/issues/43 - so that rpmkeys finds the full payload digest
[x] Release Eclipse Packager
[x] Make use of this functionality in the RPM builder

ctron commented 2 years ago

Interestingly it can be installed successfully using dnf install test.rpm.

ctron commented 2 years ago

It looks like the message originates here: https://github.com/rpm-software-management/dnf/blob/7b52f20604aa9b308d68883aabe5b3a36ff1d4db/dnf/base.py#L1390

ctron commented 2 years ago

Which is triggered by the outcome of this:

https://github.com/rpm-software-management/dnf/blob/f9f07492f08c1966524dfd5066ae913501980477/dnf/rpm/miscutils.py#L36-L61

ctron commented 2 years ago

The input for this comes from rpmkeys, executing the same command (with the same arguments) results in:

[root@2adb210281de myrepo]# rpmkeys --checksig --verbose '--define=_pkgverify_level signature' '--define=_pkgverify_flags 0x0' test.rpm 
test.rpm:
    Header V4 RSA/SHA256 Signature, key ID fa569ade: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    Payload SHA256 ALT digest: NOTFOUND
    RSA signature: NOTFOUND
    DSA signature: NOTFOUND
    MD5 digest: OK

So I guess, one of the NOTFOUNDs triggers this response.

ctron commented 2 years ago

Checking with an rpm from RHEL9, this compares to:

yum-utils-4.0.24-4.el9_0.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID fd431d51: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID fd431d51: OK
    MD5 digest: OK

ctron commented 2 years ago

Comparing that to the output of rpmcheck of RHEL7:

[root@26c410b57805 myrepo]# rpmkeys --checksig --verbose '--define=_pkgverify_level signature' '--define=_pkgverify_flags 0x0' test.rpm
test.rpm:
    Header V4 RSA/SHA256 Signature, key ID fa569ade: OK
    Header SHA1 digest: OK (ed3d708091c78619c1a0f2ce0045fad5d1278feb)
    MD5 digest: OK (b68fa9e7e4b20a253d41e65abe78f26c)

ctron commented 2 years ago

I think I have found out what is wrong: It seems as if RPM has a V4 signature header (which Eclipse Packager and thus the RPM builder plugin) create. Which only signs the header, but with the header also signs the header entries containing the payload digests. This is faster, but triggers the rpmkeys tool to complain about "missing" information.

The V3 signature signs both headers and payload, but is slower.

So, what needs to be done: (see first comment)

I have a working version locally. So all that needs to the done is to orchestrate a few PRs and create new versions.

ctron commented 2 years ago

This is released as 1.9.0.