Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-109204

rpmsign --resign --rpmv6 doesn't add compatible v4 signature to package

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.1
    • rhel-10.1
    • rpm
    • rpm-4.19.1.1-19.el10
    • No
    • Moderate
    • rhel-swm
    • 26
    • 28
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      rpmsign --resign --rpmv6 seems quite inconsistent in adding v4 signatures to package. 

      When package is not signed it adds compatible v4 signature just fine:

       

      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
          Header SHA256 digest: OK
          Header SHA1 digest: OK
          Payload SHA256 digest: OK
          MD5 digest: OK
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm 
      (none)
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --resign --rpmv6 tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
          Header V4 RSA/SHA256 Signature, key ID a04d2f4f: NOKEY
          Header SHA256 digest: OK
          Header SHA1 digest: OK
          Payload SHA256 digest: OK
          MD5 digest: OK
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm 
      RSA/SHA256, Thu 14 Aug 2025 04:51:47 AM EDT, Key ID 06eaf65aa04d2f4f
      

      However, when the same is run on already signed package, the v4 compatible signature is not added:

      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
          Header V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY
          Header SHA256 digest: OK
          Header SHA1 digest: OK
          Payload SHA256 digest: OK
          V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY
          MD5 digest: OK
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm 
      RSA/SHA256, Thu 23 Jan 2025 10:00:49 AM EST, Key ID 199e2f91fd431d51
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --resign --rpmv6 tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
          Header V4 RSA/SHA256 Signature, key ID a04d2f4f: NOKEY
          Header SHA256 digest: OK
          Header SHA1 digest: OK
          Payload SHA256 digest: OK
          MD5 digest: OK
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm 
      (none)
      

      Expected result:
      When rpmsign --resign is used with --rpmv6, all existing signatures should be replaced by newly added signature and compatible v4 signature should be added as well. Basically it should work the same way as sequence of commands --delsign & --addsign:

      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
          Header V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY
          Header SHA256 digest: OK
          Header SHA1 digest: OK
          Payload SHA256 digest: OK
          V4 RSA/SHA256 Signature, key ID fd431d51: NOKEY
          MD5 digest: OK
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm 
      RSA/SHA256, Thu 23 Jan 2025 10:00:49 AM EST, Key ID 199e2f91fd431d51
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --delsign tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
          Header SHA256 digest: OK
          Header SHA1 digest: OK
          Payload SHA256 digest: OK
          MD5 digest: OK
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm 
      (none)
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpmsign --addsign --rpmv6 tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -Kv tree-2.1.0-8.el10.x86_64.rpm 
      tree-2.1.0-8.el10.x86_64.rpm:
          Header V4 RSA/SHA256 Signature, key ID a04d2f4f: NOKEY
          Header SHA256 digest: OK
          Header SHA1 digest: OK
          Payload SHA256 digest: OK
          MD5 digest: OK
      [root@prereserve-1mt-rhel-10 tmp.gOGyaPop8f]# rpm -qp --nosignature --qf '%{rsaheader:pgpsig}\n' tree-2.1.0-8.el10.x86_64.rpm 
      RSA/SHA256, Thu 14 Aug 2025 04:57:50 AM EDT, Key ID 06eaf65aa04d2f4f
      

              mdomonko@redhat.com Michal Domonkos
              mbanas@redhat.com Martin Banas
              packaging-team-maint packaging-team-maint
              Martin Banas Martin Banas
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: