rpm 4.20, sequoia OpenPGP and old packages

Jan Rękorajski baggins at pld-linux.org
Sat Feb 8 23:53:44 CET 2025 

TL;DR Packages with non-conformant OpenPGP signatures must be
resinstalled with --nosignature.

rpm 4.20 dropped the venerable rpmpgp custom library in favor of
rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
sequoia is much stricter in validating signatures and fail if the
format is non-conformat to the standard. What it means is that
packages built with rpm5 cannot be installed and ones already
installed will cause errors and must be reinstalled.

The former problem is fixed, I have re-signed all packages in main
PLD Th repo.

The later is more involved, because rpm will barf without telling
which package ails it.

The easiest way to check if your system is affeted is to run
`rpm -qa --nosignature --qf ''` (which should output nothing) and watch
if you see errors like those at the end of this message.
In case you do, just run the below command, which will update rpm db
for every bad package with the corrected one.

rpm -qa --nosignature --qf '%{name}\n' | while read p ; do
  rpm -V --nofiledigest --nofiles --nodigest $p 2>&1 | \
    grep -Eoq "non-conformant OpenPGP implementation|no certificate was provided" && poldek -q --reinstall --justdb --pmopt=--nosignature $p
done

Final words - while we could stick to rpmpgp_legacy library for now,
since it still can be used after going through some hoops, it will not
be pssible in the future, so let's deal with this now.

Sample errors:

-----------------
error: rpmdbNextIterator: skipping h#    1292
Header DSA signature: BAD (header tag 267: invalid OpenPGP signature: Parsing an OpenPGP packet:
  Failed to parse Signature Packet
        because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
              because: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100011 (23))
              Header SHA1 digest: OK
-----------------
error: Verifying a signature, but no certificate was provided:
  Signature fcf4 created at Thu Aug 16 07:33:10 2018 invalid: signature is not alive
        because: Expired on 2018-09-15T07:33:10Z
error: rpmdbNextIterator: skipping h#     881
Header V4 DSA/SHA1 Signature, key ID 61ac3fd4: BAD
Header SHA1 digest: OK
-----------------

-- 
Jan Rękorajski                    | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/

More information about the pld-users-en mailing list