rpm 4.20, sequoia OpenPGP and old packages

Jan Palus atler at pld-linux.org
Wed Feb 12 12:23:01 CET 2025 

On 08.02.2025 23:39, Jan Rękorajski wrote:
> TL;DR Packages with non-conformant OpenPGP signatures must be
> resinstalled with --nosignature.
> 
> rpm 4.20 dropped the venerable rpmpgp custom library in favor of
> rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
> sequoia is much stricter in validating signatures and fail if the
> format is non-conformat to the standard. What it means is that
> packages built with rpm5 cannot be installed and ones already
> installed will cause errors and must be reinstalled.
> 
> The former problem is fixed, I have re-signed all packages in main
> PLD Th repo.
> 
> The later is more involved, because rpm will barf without telling
> which package ails it.
> 
> The easiest way to check if your system is affeted is to run
> `rpm -qa --nosignature --qf ''` (which should output nothing) and watch
> if you see errors like those at the end of this message.
> In case you do, just run the below command, which will update rpm db
> for every bad package with the corrected one.
> 
> rpm -qa --nosignature --qf '%{name}\n' | while read p ; do
>   rpm -V --nofiledigest --nofiles --nodigest $p 2>&1 | \
>     grep -Eoq "non-conformant OpenPGP implementation|no certificate was provided" && poldek -q --reinstall --justdb --pmopt=--nosignature $p
> done

I finally found courage to upgrade to rpm 4.20 on one of my systems and
my oh my rpm upgrades got the most disruptive of all packages hands
down.

Anyway regarding above command it has some issues and I advise to use it
with care as in current shape it might be dangerous and possibly result
in broken system although that would manifest only in future.

The most problematic part is "--justdb" option. If user did a full:
`poldek --upgrade-dist` immediately followed by above command it likely
wouldn't have negative impact. But if user has older version of
reinstalled package the rpmdb will claim to have newer one while files
would not reflect it. That could pose a problem in future
installs/upgrades in which rpm would consider dependencies are satisfied
even though they're not in practice. I would advise to drop "--justdb".

The other problem is set of packages to be reinstalled is way too
excessive. I didn't check it in detail but about all packages qualified
for reinstallation. It's due to criteria considering any package having
error in rpm -V even though the error does not really consider given
package. Taking example from pld-devel-pl:

error: Failed dependencies:
        /usr/bin/pkg-config is needed by SDL2-devel-2.32.0-1.x86_64
There were errors

Likely `rpm -V SDL2-devel` produces signature error on this system (like
it did for me when doing `rpm -V rpm-sequoia-devel`) but in practice only
pkgconfig needed a reinstall.

As advised in github ticket mentioned in error message the criteria
should be on number following "h#" in:

error: rpmdbNextIterator: skipping h#    1292

package to be reinstalled determined by
`rpm -q --qf='%{name}\n' --querybynumber 1292`

All in all I had better experience with following command:

LC_ALL=C rpm -Va --nofiledigest --nofiles --nodigest 2>&1 | grep 'error: rpmdbNextIterator: skipping h#' | \
awk '{print $5}' | sort -u | xargs -r rpm -q --qf='%{name}\n' --nosignature --querybynumber | \
grep -vE 'package1buitmanuallyduetolicense|package2buitmanuallyduetolicense' | \
xargs -r poldek --reinstall --pmopt=--nosignature

packages built manually due to redistribution restrictions need to be
listed in third line and rebuilt/reinstalled.

I still fear how all this gonna look like on multilib system though...

> 
> Final words - while we could stick to rpmpgp_legacy library for now,
> since it still can be used after going through some hoops, it will not
> be pssible in the future, so let's deal with this now.
> 
> Sample errors:
> 
> -----------------
> error: rpmdbNextIterator: skipping h#    1292
> Header DSA signature: BAD (header tag 267: invalid OpenPGP signature: Parsing an OpenPGP packet:
>   Failed to parse Signature Packet
>         because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
>               because: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100011 (23))
>               Header SHA1 digest: OK
> -----------------
> error: Verifying a signature, but no certificate was provided:
>   Signature fcf4 created at Thu Aug 16 07:33:10 2018 invalid: signature is not alive
>         because: Expired on 2018-09-15T07:33:10Z
> error: rpmdbNextIterator: skipping h#     881
> Header V4 DSA/SHA1 Signature, key ID 61ac3fd4: BAD
> Header SHA1 digest: OK
> -----------------
> 
> -- 
> Jan Rękorajski                    | PLD/Linux
> SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list