rpm 4.20, sequoia OpenPGP and old packages
Jan Rękorajski
baggins at pld-linux.org
Wed Feb 12 19:58:52 CET 2025
On Wed, 12 Feb 2025, Jan Palus wrote:
> On 08.02.2025 23:39, Jan Rękorajski wrote:
> > TL;DR Packages with non-conformant OpenPGP signatures must be
> > resinstalled with --nosignature.
> >
> > rpm 4.20 dropped the venerable rpmpgp custom library in favor of
> > rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
> > sequoia is much stricter in validating signatures and fail if the
> > format is non-conformat to the standard. What it means is that
> > packages built with rpm5 cannot be installed and ones already
> > installed will cause errors and must be reinstalled.
> >
> > The former problem is fixed, I have re-signed all packages in main
> > PLD Th repo.
> >
> > The later is more involved, because rpm will barf without telling
> > which package ails it.
> >
> > The easiest way to check if your system is affeted is to run
> > `rpm -qa --nosignature --qf ''` (which should output nothing) and watch
> > if you see errors like those at the end of this message.
> > In case you do, just run the below command, which will update rpm db
> > for every bad package with the corrected one.
> >
> > rpm -qa --nosignature --qf '%{name}\n' | while read p ; do
> > rpm -V --nofiledigest --nofiles --nodigest $p 2>&1 | \
> > grep -Eoq "non-conformant OpenPGP implementation|no certificate was provided" && poldek -q --reinstall --justdb --pmopt=--nosignature $p
> > done
>
> I finally found courage to upgrade to rpm 4.20 on one of my systems and
> my oh my rpm upgrades got the most disruptive of all packages hands
> down.
>
> Anyway regarding above command it has some issues and I advise to use it
> with care as in current shape it might be dangerous and possibly result
> in broken system although that would manifest only in future.
>
> The most problematic part is "--justdb" option. If user did a full:
> `poldek --upgrade-dist` immediately followed by above command it likely
> wouldn't have negative impact. But if user has older version of
> reinstalled package the rpmdb will claim to have newer one while files
> would not reflect it. That could pose a problem in future
> installs/upgrades in which rpm would consider dependencies are satisfied
> even though they're not in practice. I would advise to drop "--justdb".
>
> The other problem is set of packages to be reinstalled is way too
> excessive. I didn't check it in detail but about all packages qualified
> for reinstallation. It's due to criteria considering any package having
> error in rpm -V even though the error does not really consider given
> package. Taking example from pld-devel-pl:
>
> error: Failed dependencies:
> /usr/bin/pkg-config is needed by SDL2-devel-2.32.0-1.x86_64
> There were errors
>
> Likely `rpm -V SDL2-devel` produces signature error on this system (like
> it did for me when doing `rpm -V rpm-sequoia-devel`) but in practice only
> pkgconfig needed a reinstall.
>
> As advised in github ticket mentioned in error message the criteria
> should be on number following "h#" in:
>
> error: rpmdbNextIterator: skipping h# 1292
>
> package to be reinstalled determined by
> `rpm -q --qf='%{name}\n' --querybynumber 1292`
>
> All in all I had better experience with following command:
>
> LC_ALL=C rpm -Va --nofiledigest --nofiles --nodigest 2>&1 | grep 'error: rpmdbNextIterator: skipping h#' | \
> awk '{print $5}' | sort -u | xargs -r rpm -q --qf='%{name}\n' --nosignature --querybynumber | \
> grep -vE 'package1buitmanuallyduetolicense|package2buitmanuallyduetolicense' | \
> xargs -r poldek --reinstall --pmopt=--nosignature
>
> packages built manually due to redistribution restrictions need to be
> listed in third line and rebuilt/reinstalled.
Thanks, updated wiki with your command.
> I still fear how all this gonna look like on multilib system though...
Looked fine to me, the thing is only very old packages have the problem.
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
More information about the pld-devel-en
mailing list