Background info:
I am working at a site that requires JDK to be deployed by Red Hat Satellite Automatically. So I have resigned the package and try to deploy, and it will fail with following error msg;
warning: jdk-1.6.0_18-fcs.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID XXXXXXXX
To Check which version of RPM was used to sign rpm;
# rpm -q --qf '%{RPMVERSION}' -p jdk-1.6.0_18-fcs.x86_64.rpm
3.0.6
Question: Can you resign a binary rpm that was built with rpm 3.0.x?
Short Answer: You are in bad luck!
Well, it will let you, but it doesn’t mean that it can be used. You can’t do it, this is due to the fact that 3.0.x is so long ago, and technical feature has been added to RPM and due to that, it won’t work properly.
Long Answer:
There is a deep design issue underlying this mess.
RPM has been mired between header+payload and header-only signatures for many
years now.
In order to preserve header+payload MD5 as a universal invariant independent of
what is implemented in rpm when resigning, the legacy header which is part
of the header+payload MD5 digest cannot be changed.
In order to support header-only signatures on an immutable region,
markers are added to the header to identify the immutable header-only region
blob that is signed.
The conclusion is that header-only signature/digest should not be attempted
when resigning legacy packages. Any other scheme will either add Yet Another
Package format special case, or otherwise change the invariant header+payload
MD5 digest.
And the right “fix” is to dump header+payload signatures entirely. There is a deep design issue underlying this mess.
RPM has been mired between header+payload and header-only signatures for many
years now.
In order to preserve header+payload MD5 as a universal invariant independent of
what is implemented in rpm when resigning, the legacy header which is part
of the header+payload MD5 digest cannot be changed.
In order to support header-only signatures on an immutable region,
markers are added to the header to identify the immutable header-only region
blob that is signed.
The conclusion is that header-only signature/digest should not be attempted
when resigning legacy packages. Any other scheme will either add Yet Another
Package format special case, or otherwise change the invariant header+payload
MD5 digest.
And the right “fix” is to dump header+payload signatures entirely.
There are other payload complications that need solving to preserve
header+paload md5 invariance (for true legacy compatibility) as well.
E.g. invariance assumes that zlib never changes what is written to
a resigned package for all rpm implementations.
I’d suggest that the one line patch to handle the region marker change
in the signature header, and living with the accurate (because legacy headers
are invariant all versions of rpm afaik) but mysterious (essential elements to
compute a header-only signature/digest are not present in the definition
of the header, perhaps something other than NOKEY to be returned)
Header V3 DSA signature: NOKEY, key ID 831ffbca
is the only sane path forward.
But feel free to do whatever you want, patches cheerfully accepted!
Above are the comments from Jeff Johnson in Red Hat’s Bugzilla #127113
So the fix?
Resign the pkg with rpm 3.0.x which is Red Hat 6.2 which I don’t think anyone would see it as an answer.
Then only option is ignoring GPG signature path…
so for last few days my family had to go through rather sweaty experience. Yesterday was the peak of that and decided to run away to the Brighton beach and saw this wonderful sunset. This was just a view that blew all the heat and uncomfortableness away.
