-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.1
-
rpm-4.19.1.1-19.el10
-
No
-
Moderate
-
rhel-swm
-
26
-
28
-
None
-
False
-
False
-
-
None
-
None
-
Pass
-
Automated
-
Unspecified
-
Unspecified
-
Unspecified
-
None
rpmsign --resign --rpmv6 seems quite inconsistent in adding v4 signatures to package.
When package is not signed it adds compatible v4 signature just fine:
[root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm (none) [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --resign --rpmv6 tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID a04d2f4f: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm RSA/SHA256, Thu 14 Aug 2025 04:51:47 AM EDT, Key ID 06eaf65aa04d2f4f
However, when the same is run on already signed package, the v4 compatible signature is not added:
[root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY MD5 digest: OK [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm RSA/SHA256, Thu 23 Jan 2025 10:00:49 AM EST, Key ID 199e2f91fd431d51 [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --resign --rpmv6 tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID a04d2f4f: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm (none)
Expected result:
When rpmsign --resign is used with --rpmv6, all existing signatures should be replaced by newly added signature and compatible v4 signature should be added as well. Basically it should work the same way as sequence of commands --delsign & --addsign:
[root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY MD5 digest: OK [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm RSA/SHA256, Thu 23 Jan 2025 10:00:49 AM EST, Key ID 199e2f91fd431d51 [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --delsign tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm (none) [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --addsign --rpmv6 tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm tree-2.1.0-8.el10.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID a04d2f4f: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OK [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm RSA/SHA256, Thu 14 Aug 2025 04:57:50 AM EDT, Key ID 06eaf65aa04d2f4f
- links to
-
RHBA-2025:148781 rpm bug fix and enhancement update