Hi. I read the yum source code.
The message 'Package xxx is not signed' is printed at the line 2175 of yum/__init__.py. http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=yum/__init__.py;h=99039e0ecdbcfcec25ab6084b0a92333bbc4f03a;hb=02a6d7ad9752e67812460a67400826313bbc5326#l2146 ``` 2146 ts = self.rpmdb.readOnlyTS() 2147 sigresult = rpmUtils.miscutils.checkSig(ts, po.localPkg()) 2148 localfn = os.path.basename(po.localPkg()) 2149 2150 if sigresult == 0: 2151 result = 0 2152 msg = '' 2153 2154 elif sigresult == 1: 2155 if hasgpgkey: 2156 result = 1 2157 else: 2158 result = 2 2159 msg = _('Public key for %s is not installed') % localfn 2160 2161 elif sigresult == 2: 2162 result = 2 2163 msg = _('Problem opening package %s') % localfn 2164 2165 elif sigresult == 3: 2166 if hasgpgkey: 2167 result = 1 2168 else: 2169 result = 2 2170 result = 1 2171 msg = _('Public key for %s is not trusted') % localfn 2172 2173 elif sigresult == 4: 2174 result = 2 2175 msg = _('Package %s is not signed') % localfn ``` The case for return value of checkSig is 4 is at the line 88 in rpmUtils/miscutils.py. http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=rpmUtils/miscutils.py;h=aea455082c91c51bcc5986174c2bd1f699ff1d94;hb=02a6d7ad9752e67812460a67400826313bbc5326#l61 ``` 61 def checkSig(ts, package): 62 """Takes a transaction set and a package, check it's sigs, 63 return 0 if they are all fine 64 return 1 if the gpg key can't be found 65 return 2 if the header is in someway damaged 66 return 3 if the key is not trusted 67 return 4 if the pkg is not gpg or pgp signed""" 68 69 value = 0 70 currentflags = ts.setVSFlags(0) 71 fdno = os.open(package, os.O_RDONLY) 72 try: 73 hdr = ts.hdrFromFdno(fdno) 74 except rpm.error, e: 75 if str(e) == "public key not availaiable": 76 value = 1 77 if str(e) == "public key not available": 78 value = 1 79 if str(e) == "public key not trusted": 80 value = 3 81 if str(e) == "error reading package header": 82 value = 2 83 else: 84 error, siginfo = getSigInfo(hdr) 85 if error == 101: 86 os.close(fdno) 87 del hdr 88 value = 4 89 else: 90 del hdr 91 92 try: 93 os.close(fdno) 94 except OSError, e: # if we're not opened, don't scream about it 95 pass 96 97 ts.setVSFlags(currentflags) # put things back like they were before 98 return value 99 100 def getSigInfo(hdr): 101 """checks signature from an hdr hand back signature information and/or 102 an error code""" 103 104 locale.setlocale(locale.LC_ALL, 'C') 105 string = '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|' 106 siginfo = hdr.sprintf(string) 107 if siginfo != '(none)': 108 error = 0 109 sigtype, sigdate, sigid = siginfo.split(',') 110 else: 111 error = 101 112 sigtype = 'MD5' 113 sigdate = 'None' 114 sigid = 'None' 115 116 infotuple = (sigtype, sigdate, sigid) 117 return error, infotuple ``` The case when checkSig returns 4 corresponds to the line 111 above. I ran rpm -qi to see the rpm information and I found the value of 'Signature' field is '(none)'. Is it OK? ``` $ rpm -qi -p /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm Name : hn-python2-python-libs Version : 2.7.11 Release : 3.el7.centos Architecture: x86_64 Install Date: (not installed) Group : Applications/System Size : 27548758 License : Python Signature : (none) Source RPM : hn-python2-python-2.7.11-3.el7.centos.src.rpm Build Date : Wed Dec 23 06:45:59 2015 Build Host : copr-builder-27528630.novalocal Relocations : (not relocatable) Vendor : Fedora Project COPR (hnakamur/hnscl-python2-python) URL : http://www.python.org/ Summary : Runtime libraries for Python Description : This package contains runtime libraries for use by Python: - the libpython dynamic library, for use by applications that embed Python as a scripting language, and by the main "python" executable - the Python standard library ``` On the other hand, rpm -K print 'md5 OK' on this rpm. ``` $ rpm -K /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.c entos.x86_64.rpm /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm: sha1 md5 OK ``` Best regards, Hiroaki Nakamura 2015-12-23 23:30 GMT+09:00 Hiroaki Nakamura <[email protected]>: > Hi, > > 2015-12-23 18:14 GMT+09:00 Patrick Uiterwijk <[email protected]>: >> Hi, >> >> The latest build of your package is correctly signed: >> hn-python2-python-test-2.7.11-3.el7.centos.x86_64.rpm: RSA sha1 ((MD5) PGP) >> md5 NOT OK (MISSING KEYS: (MD5) PGP#1256a871) > > Thanks for pointing me out. > > I installed gpg keys manually with the following commands. > > $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg > https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pubkey.gpg > $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg > https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/pubkey.gpg > $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg > $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg > > And I confirmed python-libs rpm is signed. > > $ rpm -K hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm > hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm: rsa sha1 (md5) pgp md5 > OK > > However I still got the 'is not signed' error with yum install. > > $ sudo yum install -y -v hn-python2-python > Loading "fastestmirror" plugin > Config time: 0.008 > Yum version: 3.4.3 > ...(snip)... > Package hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm is not signed > $ echo $? > 1 > > I editted my *.repo files to use file:/// url for gpgkey instead of > https:// urls, still no luck. > > $ cat /etc/yum.repos.d/hnakamur-hnscl-python2.repo > [hnakamur-hnscl-python2] > name=Copr repo for hnscl-python2 owned by hnakamur > baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/epel-7-$basearch/ > skip_if_unavailable=True > gpgcheck=1 > #gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pubkey.gpg > gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg > enabled=1 > enabled_metadata=1 > $ cat /etc/yum.repos.d/hnakamur-hnscl-python2-python.repo > [hnakamur-hnscl-python2-python] > name=Copr repo for hnscl-python2-python owned by hnakamur > baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/epel-7-$basearch/ > skip_if_unavailable=True > gpgcheck=1 > #gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/pubkey.gpg > gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg > enabled=1 > enabled_metadata=1 > > As a workaround, I confirmed I can install my rpms with yum --nogpgcheck > option. > > $ sudo yum install -y --nogpgcheck hn-python2-python > > However I'd like to install rpm without --nogpgcheck option. > Could you give some advice? > > Best regards, > Hiroaki Nakamura > > >> >> Please note that the very first build in a COPR is not always signed due to >> a bug (or at least, used to be), but any further builds should be signed. >> >> With kind regards, >> Patrick Uiterwijk >> Fedora Infra >> >> ----- Original Message ----- >>> Hello. >>> >>> How to make sure rpms to be signed on copr? >>> >>> I tried to build my Python2 rpm. It was built successfully but is was >>> not signed. >>> https://copr.fedoraproject.org/coprs/hnakamur/hnscl-python2-python/ >>> >>> I built other rpms and they are signed. >>> https://copr.fedoraproject.org/coprs/hnakamur/varnish-head/ >>> https://copr.fedoraproject.org/coprs/hnakamur/libvmod-header/ >>> >>> I don't why my Python2 rpm was not signed. >>> I'd like to know the way to make sure rpms are signed on copr. >>> >>> >>> By the way, thanks for a great service like copr! >>> It is very useful! >>> >>> Best regards, >>> Hioraki Nakamura >>> _______________________________________________ >>> copr-devel mailing list >>> [email protected] >>> https://lists.fedorahosted.org/admin/lists/[email protected] >>> >> _______________________________________________ >> copr-devel mailing list >> [email protected] >> https://lists.fedorahosted.org/admin/lists/[email protected] > > > > -- > Hioraki Nakamura )[email protected]) -- Hioraki Nakamura )[email protected]) _______________________________________________ copr-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
