Bugzilla – Bug 6974
Add gpg signature to RPMs
Last modified: 2011-01-14 10:08:42 UTC
The RPMs distributed from the yum repos really should be gpg signed, and the public key made available (and added to the squeezecenter-release RPM.
(In reply to comment #0) > The RPMs distributed from the yum repos really should be gpg signed, and the > public key made available (and added to the squeezecenter-release RPM. > I agree. IMO it would also be OK to update the .repo file with gpgkey=http://www.slimdevices.com/path/to/key instead of actually shipping the key in the package.
I would ship it as well as making it available on the site. If you were just making a .repo file available then it would make sense to just make the public key available on the site also, but as you're shipping an rpm to install the repo file the public key should go in there too. All IMHO, of course!
Fletch, I've got the GPG key setup, and I've added it to the repo and the yum config file ... but for some reason I'm having a hard time building the RPM with that key automatically. I can add the key by doing a --resign, but that requires manual intervention. What am I missing? I put the key name and everything into my .rpmmacros file. Do you have any hints?
All you should need to do is to create a key without a passphrase and build the rpm using: rpmbuild --sign -ba squeezecenter.xpec. What were you trying? What didn't work? R.
I guess the issue is that my buildme.pl script doesnt have a --sign in it. I don't want to add that though, because it will break other users who want to build an RPM without signing it. Why isnt my .rpmmacros file being picked up with its: %_signature gpg %_gpg_name Streaming Media Systems, Logitech Inc. %_gpg_path ~/.gnupg Is there something else I can add to the .rpmmacros file that I'm missing?
(In reply to comment #5) > > %_signature gpg > %_gpg_name Streaming Media Systems, Logitech Inc. > %_gpg_path ~/.gnupg > > Is there something else I can add to the .rpmmacros file that I'm missing? > I'm not sure, but a few things to try: - Do you need to also set %_gpgbin? - Make sure %_gpg_name really matches the name used when creating the key pair. - Does it properly understand ~/? Maybe try an absolute %_gpg_path. Otherwise, you could also add a command line switch to buildme.pl to enable/disable signing instead of using .rpmmacros.
So adding '--sign' at least did something ... but not a good thing. During the build it stopped and waited for me to press 'enter' for the key password. I'ev already tried adding the gpg_bin and that didnt solve it either. I verified that the name was accurate by using it with the gpg command to search for the key, and it worked.
http://www.rpm.org/max-rpm/s1-rpm-pgp-signing-packages.html The behavior described above is exactly what I'm seeing... I have not yet found a way to automate the signing of packages nightly...
Let's make this change on trunk for 7.0.1
(In reply to comment #9) > Let's make this change on trunk for 7.0.1 > OK, but note that the trunk and branch repos are currently broken because they contain repo files that require a key, but all the RPMs are still unsigned. Matt, can you remove those updated repo RPMs? Anyone who has already updated will need to either downgrade the repo RPM or manually edit it to get things working again. As for the real problem, I'm not sure how to do unattended signing, but folks like Fedora and RPMForge clearly have a way to do it. When I have some time, I'll do some googling and see what I can find...
You need to remove the password from the private key. IF it has no password it will not ask for one when signing. Note that this is different to having an empty password. R.
Robin, Thats kind of what I was thinking ... but I can't seem to make a GPG key without a password at all. What am I missing?
have a look at this thread: http://www.mail-archive.com/fedora-buildsys-list@redhat.com/msg00486.html However, given that we are a perl shop, this looks like the perfect solution: http://search.cpan.org/~nanardon/RPM4-0.23/lib/RPM4/Sign.pm R.
I've built a quick perl script using RPM4:: Sign to sign the RPMs before they're put into the YUM repo. I'm doing a rebuild of the nightly RPMs right now, and uploading them. Please confirm that these work for you, and then we can close this bug...
The squeezecenter-repo package has been updated to 1-3 with the proper key, and the RPMs are being automatically signed with this key now.
Hah, Ironically, the updated repo package could not be verified because it isn't signed!! :) R.
Ha ha... oops. Try now.
Still doesn't work: $ sudo yum upgrade Loading "priorities" plugin 125 packages excluded due to repository priority protections Setting up Upgrade Process Resolving Dependencies --> Running transaction check ---> Package squeezecenter-repo.noarch 0:1-3 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: squeezecenter-repo noarch 1-3 squeezecenter-release 3.9 k Transaction Summary ============================================================================= Install 0 Package(s) Update 1 Package(s) Remove 0 Package(s) Total download size: 3.9 k Is this ok [y/N]: y Downloading Packages: (1/1): squeezecenter-repo 100% |=========================| 3.9 kB 00:00 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 signature: NOKEY, key ID c3cdadd1 Importing GPG key 0x71ABEFCE "Streaming Media Systems, Logitech Inc. <gpg@slimdevices.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-SqueezeCenter Is this ok [y/N]: y Public key for squeezecenter-repo-1-3.noarch.rpm is not installed
(In reply to comment #18) > Still doesn't work: > I don't have time to test right now, but I assume this is because it is checking against the key in the 1-2 version of the repo RPM.
It is ... and the only way to fix it is to do a 'yum remove squeezecenter-repo', wget the latest 1-3 file, install that repo file, and then do a yum install squeezecenter. Sorry about that, but the GPG key changed whiel I was testing things, so thats just what has to happen now.
OK, this works for me. The only problem I see is that the 6.5.4 RPM in release is still signed with the old key.
I've resigned the release packages... closing bug. No code change to the public code base was necessary, only to our own internal build scripts.
(In reply to comment #22) > I've resigned the release packages... closing bug. No code change to the public > code base was necessary, only to our own internal build scripts. > Closing bug, please reopen if you see any other problems.
Hello. http://repos.slimdevices.com/yum/squeezecenter/release/squeezecenter-7.3-1.noarch.rpm went out un-signed. Could someone please re-open this bug?
Perhaps this should be a different bug: QA the release procedure to ensure RPMs are signed before being moved to the repo. :)
Sorry this is fixed: Name : squeezecenter Relocations: (not relocatable) Version : 7.3 Vendor: Logitech Release : 1 Build Date: Thu 11 Dec 2008 02:15:38 PM PST Install Date: (not installed) Build Host: centos-build.edmz.slimdevices.com Group : System Environment/Daemons Source RPM: squeezecenter-7.3-1.src.rpm Size : 55864621 License: GPL and proprietary Signature : RSA/SHA1, Sun 14 Dec 2008 09:16:01 AM PST, Key ID f444850cc3cdadd1 Packager : Slim Devices/Logitech <support@slimdevices.com> URL : http://www.slimdevices.com Summary : SqueezeCenter Music Server Description : Using a new release cycle that just missed this process.. will fix for next release.
Hi, seems it's not really signed: madko@osiris:~$ rpm -qpi squeezecenter-repo-1-5.noarch.rpm Name : squeezecenter-repo Relocations: (not relocatable) Version : 1 Vendor: (none) Release : 5 Build Date: mar. 31 mars 2009 18:26:23 CEST Install Date: (not installed) Build Host: x86-fc9-build Group : System Environment/Base Source RPM: squeezecenter-repo-1-5.src.rpm Size : 2379 License: GPL Signature : (none) URL : http://www.slimdevices.com Summary : SqueezeCenter Branch Repository Configuration Description : This package installs the repository repo files for the SqueezeCenter Branch software repository.
Oops, I forgot to sign the new repo rpm. I've signed it and uploaded the new files. On Apr 16, 2009, at 11:54 PM, bugs@community.slimdevices.com wrote: > https://bugs-archive.lyrion.org/show_bug.cgi?id=6974 > > > > > > --- Comment #27 from Edouard <madko77@gmail.com> 2009-04-16 > 23:54:46 --- > Hi, > seems it's not really signed: > madko@osiris:~$ rpm -qpi squeezecenter-repo-1-5.noarch.rpm > Name : squeezecenter-repo Relocations: (not > relocatable) > Version : 1 Vendor: (none) > Release : 5 Build Date: mar. 31 mars > 2009 > 18:26:23 CEST > Install Date: (not installed) Build Host: x86-fc9-build > Group : System Environment/Base Source RPM: > squeezecenter-repo-1-5.src.rpm > Size : 2379 License: GPL > Signature : (none) > URL : http://www.slimdevices.com > Summary : SqueezeCenter Branch Repository Configuration > Description : > This package installs the repository repo files for the > SqueezeCenter Branch > software repository. > > -- > Configure bugmail: https://bugs-archive.lyrion.org/userprefs.cgi?tab=email > ------- You are receiving this mail because: ------- > You are the assignee for the bug.
Thank you for responding so fast, do you know when it will be availlable? Because on the http repository: squeezecenter-repo-1-5.noarch.rpm 14-Apr-2009 07:20 4.1K file is still unchanged and unsigned.
ack, i missed the release directory, i got the others. i just updated the release directory.
Did you forgot to update repodata with the createrepo cmd?
Did you release an unsigned squeezecenter-repo-1-5 followed by a signed version of the same package? I think you need to bump the version number to flush the unsigned version from people's package caches.
untill no createrepo have been done, the repository is for the moment broken simply because the md5sum of the package doesn't match. And of course release number must be bumped.
Good catch, I did indeed miss that. I also didn't think about the md5 match, etc. I've updated the repo rpm to 1-6, signed it, put it in all the right dirs, and run createrepo. Please check it out now.
squeezecenter-repo-1.6 is signed with the key 4123722a but the key specified in /etc/yum.repos.d/squeezecenter.repo (and included in /etc/pki/rpm-gpg/RPM-GPG-KEY-SqueezeCenter ) is C3CDADD1 2008-02-12 Logitech <gpg@slimdevices.com> So who does the 4123722a key belong to and where can it be verified?
rpmlint on the rpm file also reports some error/warnings that could certainly be fixed easily. I had one error during the upgrade to repo-1.6 on the %post script, rpm --import failed. I don't know why, maybe because the key was already imported. If it's just as trivial as that, you can change your post script to something like: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-SqueezeCenter || : so even if the import fails, the post script will return a good status.
If you install the new repo-1-6 package, you should be in good shape: [parabuild@x86-fc9-build squeezecenter]$ rpm -qip squeezecenter- repo-1-6.noarch.rpm Name : squeezecenter-repo Relocations: (not relocatable) Version : 1 Vendor: (none) Release : 6 Build Date: Sat 18 Apr 2009 11:41:21 AM PDT Install Date: (not installed) Build Host: x86-fc9-build Group : System Environment/Base Source RPM: squeezecenter- repo-1-6.src.rpm Size : 2379 License: GPL Signature : DSA/SHA1, Sat 18 Apr 2009 11:41:59 AM PDT, Key ID 295779ff4123722a URL : http://www.slimdevices.com Summary : SqueezeCenter Branch Repository Configuration Description : This package installs the repository repo files for the SqueezeCenter Branch software repository. [parabuild@x86-fc9-build squeezecenter]$ rpm -qip testing/ squeezecenter-7.3.3-0.1.26020.noarch.rpm Name : squeezecenter Relocations: (not relocatable) Version : 7.3.3 Vendor: Logitech Release : 0.1.26020 Build Date: Sun 19 Apr 2009 03:07:59 AM PDT Install Date: (not installed) Build Host: x86-fc9-build Group : System Environment/Daemons Source RPM: squeezecenter-7.3.3-0.1.26020.src.rpm Size : 57958551 License: GPL and proprietary Signature : DSA/SHA1, Sun 19 Apr 2009 03:08:40 AM PDT, Key ID 295779ff4123722a Packager : Slim Devices/Logitech <support@slimdevices.com> URL : http://www.slimdevices.com Summary : SqueezeCenter Music Server Description : SqueezeCenter powers the Squeezebox, Transporter and SLIMP3 network music players and is the best software to stream your music to any software MP3 player. It supports MP3, AAC, WMA, FLAC, Ogg Vorbis, WAV and more! [root@x86-fc9-build squeezecenter]# rpm -ivh squeezecenter- repo-1-6.noarch.rpm Preparing... ########################################### [100%] 1:squeezecenter-repo ########################################### [100%] [root@x86-fc9-build squeezecenter]# gpg /etc/pki/rpm-gpg/RPM-GPG-KEY- SqueezeCenter gpg: keyring `/root/.gnupg/secring.gpg' created pub 1024D/4123722A 2009-03-31 Streaming Media Business Unit <gpg@slimdevices.com > sub 2048g/7B23045A 2009-03-31 The new 1-6 repo package is signed with a new key that is the same as the key that is signing our RPM builds. Additionally the 1-6 repo package imports the new key and copies it into your /etc/pki/rpm-gpg directory. This package matches the RPM-GPG-Key-SqueezeCenter file that is located http://repos.slimdevices.com/yum/squeezecenter/. I'm not seeing any odd behavior with this setup, everything looks to be working properly.
I'm not seeing that failure even if I run the command over and over again. What platform are you on exactly?
my plateform is runing on fedora10 x86_64. The problem occured during the upgrade from squeezecenter-repo-1.4 to 1.6, using yum not rpm. But I can't reproduce the problem... so it's not a big issue.
The problem with the signatures is that we should download a key from an untrusted source and then rust that key to guarantee the integrity of the rest of the slimdevices software, i.e. the chain of trust is broken. It would be prudent to publish the fingerprint of the new key (gpg --fingerprint 4123722A) on an official simdevices.com web-page that is accessible through https. Also, signing the new key with the old one and exporting it to keyservers would be a good idea.
To be honest, I'm not terribly faimilar with the process for publishing rpm gpg keys to known locations. Beyond that, the key is available from downloads.slimdevices.com -- how much more official can you get?
it's official only if you trust your DNS. https should be better, the ssl certificat will prouve that it's the good server.</paranoia>
Assigning to Mark to follow up on some other GPG issues. Primarily we need to publish our GPG keys at a proper location as well as a few little fixes to our repo packages.
Don't you have your keys published at pgp.mit.edu, for example. My update using smart will not install the new squeezecenter because your key is not published. Where do I get it?
Some additional thoughts on this... The key is available at: http://repos.slimdevices.com/yum/squeezecenter/RPM-GPG-KEY-SqueezeCenter However, as David Juran points out, we can't trust that key because it's not available from a secure source, i.e. it's not https. If you fix up your server config so that URL works with https and publish the fingerprint for the key, as well as the key itself then you should be all done. At the moment this doesn't work: https://repos.slimdevices.com/yum/squeezecenter/RPM-GPG-KEY-SqueezeCenter In fact, http://repos.slimdevices.com serves different content than https://repos.slimdevices.com R.
*** Bug 14404 has been marked as a duplicate of this bug. ***
Moving P3 and lower bugs to next release target