rpm 4.20, sequoia OpenPGP and old packages

Wed Feb 12 20:03:37 CET 2025

On Wed, 12 Feb 2025, Jan Rękorajski wrote:

> On Wed, 12 Feb 2025, Jan Palus wrote:
> 
> > On 08.02.2025 23:39, Jan Rękorajski wrote:
> > > TL;DR Packages with non-conformant OpenPGP signatures must be
> > > resinstalled with --nosignature.
> > > 
> > > rpm 4.20 dropped the venerable rpmpgp custom library in favor of
> > > rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
> > > sequoia is much stricter in validating signatures and fail if the
> > > format is non-conformat to the standard. What it means is that
> > > packages built with rpm5 cannot be installed and ones already
> > > installed will cause errors and must be reinstalled.
> > > 
> > > The former problem is fixed, I have re-signed all packages in main
> > > PLD Th repo.
> > > 
> > > The later is more involved, because rpm will barf without telling
> > > which package ails it.
> > > 
> > > The easiest way to check if your system is affeted is to run
> > > `rpm -qa --nosignature --qf ''` (which should output nothing) and watch
> > > if you see errors like those at the end of this message.
> > > In case you do, just run the below command, which will update rpm db
> > > for every bad package with the corrected one.
> > > 
> > > rpm -qa --nosignature --qf '%{name}\n' | while read p ; do
> > >   rpm -V --nofiledigest --nofiles --nodigest $p 2>&1 | \
> > >     grep -Eoq "non-conformant OpenPGP implementation|no certificate was provided" && poldek -q --reinstall --justdb --pmopt=--nosignature $p
> > > done
> > 
> > I finally found courage to upgrade to rpm 4.20 on one of my systems and
> > my oh my rpm upgrades got the most disruptive of all packages hands
> > down.
> > 
> > Anyway regarding above command it has some issues and I advise to use it
> > with care as in current shape it might be dangerous and possibly result
> > in broken system although that would manifest only in future.
> > 
> > The most problematic part is "--justdb" option. If user did a full:
> > `poldek --upgrade-dist` immediately followed by above command it likely
> > wouldn't have negative impact. But if user has older version of
> > reinstalled package the rpmdb will claim to have newer one while files
> > would not reflect it. That could pose a problem in future
> > installs/upgrades in which rpm would consider dependencies are satisfied
> > even though they're not in practice. I would advise to drop "--justdb".
> > 
> > The other problem is set of packages to be reinstalled is way too
> > excessive. I didn't check it in detail but about all packages qualified
> > for reinstallation. It's due to criteria considering any package having
> > error in rpm -V even though the error does not really consider given
> > package. Taking example from pld-devel-pl:
> > 
> > error: Failed dependencies:
> >         /usr/bin/pkg-config is needed by SDL2-devel-2.32.0-1.x86_64
> > There were errors
> > 
> > Likely `rpm -V SDL2-devel` produces signature error on this system (like
> > it did for me when doing `rpm -V rpm-sequoia-devel`) but in practice only
> > pkgconfig needed a reinstall.
> > 
> > As advised in github ticket mentioned in error message the criteria
> > should be on number following "h#" in:
> > 
> > error: rpmdbNextIterator: skipping h#    1292
> > 
> > package to be reinstalled determined by
> > `rpm -q --qf='%{name}\n' --querybynumber 1292`
> > 
> > All in all I had better experience with following command:
> > 
> > LC_ALL=C rpm -Va --nofiledigest --nofiles --nodigest 2>&1 | grep 'error: rpmdbNextIterator: skipping h#' | \
> > awk '{print $5}' | sort -u | xargs -r rpm -q --qf='%{name}\n' --nosignature --querybynumber | \
> > grep -vE 'package1buitmanuallyduetolicense|package2buitmanuallyduetolicense' | \
> > xargs -r poldek --reinstall --pmopt=--nosignature
> > 
> > packages built manually due to redistribution restrictions need to be
> > listed in third line and rebuilt/reinstalled.
> 
> Thanks, updated wiki with your command.
> 
> > I still fear how all this gonna look like on multilib system though...
> 
> Looked fine to me, the thing is only very old packages have the problem.

Just in case changing query format to '%{name}-%{version}-%{release}.%{arch}\n'
should do the trick.

-- 
Jan Rękorajski                    | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/