rpm 4.20, sequoia OpenPGP and old packages

[Neal Gompa]

On Sat, Feb 8, 2025 at 5:39 PM Jan Rękorajski <baggins at pld-linux.org> wrote:
>
> TL;DR Packages with non-conformant OpenPGP signatures must be
> resinstalled with --nosignature.
>
> rpm 4.20 dropped the venerable rpmpgp custom library in favor of
> rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
> sequoia is much stricter in validating signatures and fail if the
> format is non-conformat to the standard. What it means is that
> packages built with rpm5 cannot be installed and ones already
> installed will cause errors and must be reinstalled.
>

FWIW, the rpmpgp custom library still exists and is somewhat
maintained: https://github.com/rpm-software-management/rpmpgp_legacy

> The former problem is fixed, I have re-signed all packages in main
> PLD Th repo.
>
> The later is more involved, because rpm will barf without telling
> which package ails it.
>
> The easiest way to check if your system is affeted is to run
> `rpm -qa --nosignature --qf ''` (which should output nothing) and watch
> if you see errors like those at the end of this message.
> In case you do, just run the below command, which will update rpm db
> for every bad package with the corrected one.
>
> rpm -qa --nosignature --qf '%{name}\n' | while read p ; do
>   rpm -V --nofiledigest --nofiles --nodigest $p 2>&1 | \
>     grep -Eoq "non-conformant OpenPGP implementation|no certificate was provided" && poldek -q --reinstall --justdb --pmopt=--nosignature $p
> done
>
> Final words - while we could stick to rpmpgp_legacy library for now,
> since it still can be used after going through some hoops, it will not
> be pssible in the future, so let's deal with this now.
>

My understanding is that SUSE currently isn't interested in
rpm-sequoia, so it'll be around for a while yet. But in general, your
advice is correct from an rpm upstream perspective. Not to mention
that the DNF stack will depend on it too (for those who want to use it).




--
真実はいつも一つ！/ Always, there's only one truth!