Package: <buildscripts> Version: x2goserver.x86_64 0:4.0.1.19-0.0x2go2.1.git20150608.1064.main.el5.centos
Hello, im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get the following error for more than 1 dependency:
Header V3 RSA/SHA1 signature: BAD
For the full log see the attachemend, i think this may be just like #699.
On 30.06.2015 11:22 AM, Christian Trenkwalder wrote:
im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get the following error for more than 1 dependency:
Header V3 RSA/SHA1 signature: BAD
For the full log see the attachemend, i think this may be just like #699.
Probably not, though. The packages are using Header V3, #699 was about V4 being unsupported on RHEL5.
How does your yum repo file look like? is gpgCheck enabled? If yes, does disabling it solve your problem?
Mihai
The repo looks as followed (same holds for the [x2go-extras-epel]), i manually disabled the gpgcheck, but it changes nothing.
[x2go-release-epel] name=Upstream X2Go EPEL Packages (Release Builds) baseurl=http://packages.x2go.org/epel/$releasever/main/$basearch gpgcheck=0 gpgkey=http://packages.x2go.org/pub.key enabled=1 protect=0
what i did now was using the testing repo for the EPEL packages, and then the installation worked.
Am 30.06.2015 um 21:09 schrieb Mihai Moldovan:
On 30.06.2015 11:22 AM, Christian Trenkwalder wrote:
im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get the following error for more than 1 dependency:
Header V3 RSA/SHA1 signature: BAD
For the full log see the attachemend, i think this may be just like #699.
Probably not, though. The packages are using Header V3, #699 was about V4 being unsupported on RHEL5.
How does your yum repo file look like? is gpgCheck enabled? If yes, does disabling it solve your problem?
Mihai
Am 01.07.2015 um 11:29 schrieb Christian Trenkwalder:
The repo looks as followed (same holds for the [x2go-extras-epel]), i manually disabled the gpgcheck, but it changes nothing.
I am not sure if this is relevant here, but I just wanted to throw in, that if you generate Repos for RHEL5 on RHEL6 or 7 you must explicitly call createrepo with -s sha1 or -s sha.
Uli
On 01.07.2015 12:45 PM, Ulrich Sibiller wrote:
Am 01.07.2015 um 11:29 schrieb Christian Trenkwalder:
The repo looks as followed (same holds for the [x2go-extras-epel]), i manually disabled the gpgcheck, but it changes nothing.
I am not sure if this is relevant here, but I just wanted to throw in, that if you generate Repos for RHEL5 on RHEL6 or 7 you must explicitly call createrepo with -s sha1 or -s sha.
I'm painfully aware of that: http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-packag...
That shouldn't be the problem, we've been doing this quite a while now.
BUT we do sign the packages with an 2048 bit RSA key. While this is not a bad idea per se, I've read that RHEL5's rpm only supports 1024 bit RSA or DSA keys...
Looks like I have to create an 1024 bit subkey, upload that to the keyservers, put it into the Debian keyring, add it to http://packages.x2go.org/pub.key and sign all RHEL 5 packages with that weak one?
Maybe Christian would have needed to also run "yum clean" and maybe even delete the downloaded key file in addition to disabling gpgcheck in order to make RPM not check the signatures anymore.
Given that he switched to the official EPEL repo, I assume(?) I can't continue debugging this (well, short of creating a CentOS 5 VM...)
Mihai
[resent to bug report specifically]
On 01.07.2015 12:45 PM, Ulrich Sibiller wrote:
Am 01.07.2015 um 11:29 schrieb Christian Trenkwalder:
The repo looks as followed (same holds for the [x2go-extras-epel]), i manually disabled the gpgcheck, but it changes nothing.
I am not sure if this is relevant here, but I just wanted to throw in, that if you generate Repos for RHEL5 on RHEL6 or 7 you must explicitly call createrepo with -s sha1 or -s sha.
I'm painfully aware of that: http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-packag...
That shouldn't be the problem, we've been doing this quite a while now.
BUT we do sign the packages with an 2048 bit RSA key. While this is not a bad idea per se, I've read that RHEL5's rpm only supports 1024 bit RSA or DSA keys...
Looks like I have to create an 1024 bit subkey, upload that to the keyservers, put it into the Debian keyring, add it to http://packages.x2go.org/pub.key and sign all RHEL 5 packages with that weak one?
Maybe Christian would have needed to also run "yum clean" and maybe even delete the downloaded key file in addition to disabling gpgcheck in order to make RPM not check the signatures anymore.
Given that he switched to the official EPEL repo, I assume(?) I can't continue debugging this (well, short of creating a CentOS 5 VM...)
Mihai
On 01.07.2015 06:13 PM, Mihai Moldovan wrote:
BUT we do sign the packages with an 2048 bit RSA key. While this is not a bad idea per se, I've read that RHEL5's rpm only supports 1024 bit RSA or DSA keys...
Looks like I have to create an 1024 bit subkey, upload that to the keyservers, put it into the Debian keyring, add it to http://packages.x2go.org/pub.key and sign all RHEL 5 packages with that weak one?
Created a VM and tested this hunch with one package. Looks like I was right. Will update the buildscript now and re-sign manually for now...
Mihai
Control: reassign -1 buildscripts 0 Control: close -1
On 02.07.2015 01:49 AM, Mihai Moldovan wrote:
Created a VM and tested this hunch with one package. Looks like I was right. Will update the buildscript now and re-sign manually for now...
Changed the buildscripts in this commit to use the new GPG key for EPEL 5 (package and repo data signing): http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-packag...
Additionally, all packages will be signed with the "new" GPG key.
I have verified that packages can now be successfully installed in a CentOS 5.8 VM.
Re-signing of the packages in the repository and the repo data is currently underway.
Mihai
Processing control commands:
reassign -1 buildscripts 0 Bug #897 [<buildscripts>] epel 5 repos have signature errors Warning: Unknown package '<buildscripts>' Bug reassigned from package '<buildscripts>' to 'buildscripts'. Ignoring request to alter found versions of bug #897 to the same values previously set Ignoring request to alter fixed versions of bug #897 to the same values previously set Bug #897 [buildscripts] epel 5 repos have signature errors There is no source info for the package 'buildscripts' at version '0' with architecture '' Unable to make a source version for version '0' Marked as found in versions 0. close -1 Bug #897 [buildscripts] epel 5 repos have signature errors Marked Bug as done
-- 897: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=897 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
-
Christian Trenkwalder -
Mihai Moldovan -
owner@bugs.x2go.org -
Ulrich Sibiller