Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-107187

The signatures of some rpm packages cannot be detected by '{SIGPGP:pgpsig}' option in rpm command

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-9.6.z, rhel-10.0.z, rhel-10.1, rhel-9.7
    • rpm
    • None
    • No
    • None
    • rhel-swm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      There is an issue when checking the RPM signatures in RHEL. 

      # rpm qa --qf "%{name}%{version}-%{release}.%{arch} %{SIGPGP:pgpsig}\n" | grep -v "Key ID"
      ...
      libxml2-2.9.13-11.el9_6.x86_64 (none)
      sqlite-libs-3.34.1-8.el9_6.x86_64 (none)
      ...

      Some of the packages appear to be missing their signatures based on the above result, but the signatures can be seen in the following command.

      # rpm -qi libxml2-2.9.13-11.el9_6.x86_64 | grep Signature
      Signature   : RSA/SHA256, Thu 31 Jul 2025 10:01:58 AM CST, Key ID 199e2f91fd431d51
      # rpm -qi sqlite-libs-3.34.1-8.el9_6.x86_64 | grep Signature
      Signature   : RSA/SHA256, Fri 25 Jul 2025 01:15:55 PM CST, Key ID 199e2f91fd431d51
      
      

      This issue occurs in the current RHEL minor releases (eg, 9.7, 9.8, 10.1, 10,2) and the zstream of published RHEL systems (eg, 9,6, 9,4, 10,0). 

              packaging-team-maint packaging-team-maint
              yoguo@redhat.com Yongkui Guo
              packaging-team-maint packaging-team-maint
              Software Management QE Software Management QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: