Hi. I checked the value for the Signature header of another rpm I built, which I can successfully install with yum.
The project pages is https://copr.fedoraproject.org/coprs/hnakamur/nodejs/ I installed the nodejs rpm with the following command. ``` $ (cd /etc/yum.repos.d && sudo curl -sLO https://copr.fedoraproject.org/coprs/hnakamur/nodejs/repo/epel-7/hnakamur-nodejs-epel-7.repo) $ sudo yum -y install nodejs ``` And I check the value for the Signature header. ``` $ rpm -qi nodejs Name : nodejs Version : 4.2.4 Release : 1.el7.centos Architecture: x86_64 Install Date: Fri Dec 25 01:42:38 2015 Group : Development/Libraries Size : 21159862 License : MIT License Signature : RSA/SHA1, Fri Dec 25 01:39:27 2015, Key ID 171a73c11efd624f Source RPM : nodejs-4.2.4-1.el7.centos.src.rpm Build Date : Fri Dec 25 01:39:02 2015 Build Host : copr-builder-457549204.novalocal Relocations : /usr Packager : Kazuhisa Hara <[email protected]> Vendor : Fedora Project COPR (hnakamur/nodejs) URL : https://nodejs.org Summary : Node.js is a server-side JavaScript environment that uses an asynchronous event-driven model. Description : Node.js is a server-side JavaScript environment that uses an asynchronous event-driven model. This allows Node.js to get excellent performance based on the architectures of many Internet applications. ``` The value of the Signature header is "RSA/SHA1, Fri Dec 25 01:39:27 2015, Key ID 171a73c11efd624f", which is different from the value of "(none)" for hn-python2-python-libs as I written in my previous mail. Why the difference happened? 2015-12-25 1:10 GMT+09:00 Hiroaki Nakamura <[email protected]>: > Hi. > > I read the yum source code. > > The message 'Package xxx is not signed' is printed at the line 2175 of > yum/__init__.py. > > http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=yum/__init__.py;h=99039e0ecdbcfcec25ab6084b0a92333bbc4f03a;hb=02a6d7ad9752e67812460a67400826313bbc5326#l2146 > > ``` > 2146 ts = self.rpmdb.readOnlyTS() > 2147 sigresult = rpmUtils.miscutils.checkSig(ts, po.localPkg()) > 2148 localfn = os.path.basename(po.localPkg()) > 2149 > 2150 if sigresult == 0: > 2151 result = 0 > 2152 msg = '' > 2153 > 2154 elif sigresult == 1: > 2155 if hasgpgkey: > 2156 result = 1 > 2157 else: > 2158 result = 2 > 2159 msg = _('Public key for %s is not installed') % localfn > 2160 > 2161 elif sigresult == 2: > 2162 result = 2 > 2163 msg = _('Problem opening package %s') % localfn > 2164 > 2165 elif sigresult == 3: > 2166 if hasgpgkey: > 2167 result = 1 > 2168 else: > 2169 result = 2 > 2170 result = 1 > 2171 msg = _('Public key for %s is not trusted') % localfn > 2172 > 2173 elif sigresult == 4: > 2174 result = 2 > 2175 msg = _('Package %s is not signed') % localfn > ``` > > The case for return value of checkSig is 4 is at the line 88 in > rpmUtils/miscutils.py. > > http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=rpmUtils/miscutils.py;h=aea455082c91c51bcc5986174c2bd1f699ff1d94;hb=02a6d7ad9752e67812460a67400826313bbc5326#l61 > > ``` > 61 def checkSig(ts, package): > 62 """Takes a transaction set and a package, check it's sigs, > 63 return 0 if they are all fine > 64 return 1 if the gpg key can't be found > 65 return 2 if the header is in someway damaged > 66 return 3 if the key is not trusted > 67 return 4 if the pkg is not gpg or pgp signed""" > 68 > 69 value = 0 > 70 currentflags = ts.setVSFlags(0) > 71 fdno = os.open(package, os.O_RDONLY) > 72 try: > 73 hdr = ts.hdrFromFdno(fdno) > 74 except rpm.error, e: > 75 if str(e) == "public key not availaiable": > 76 value = 1 > 77 if str(e) == "public key not available": > 78 value = 1 > 79 if str(e) == "public key not trusted": > 80 value = 3 > 81 if str(e) == "error reading package header": > 82 value = 2 > 83 else: > 84 error, siginfo = getSigInfo(hdr) > 85 if error == 101: > 86 os.close(fdno) > 87 del hdr > 88 value = 4 > 89 else: > 90 del hdr > 91 > 92 try: > 93 os.close(fdno) > 94 except OSError, e: # if we're not opened, don't scream about it > 95 pass > 96 > 97 ts.setVSFlags(currentflags) # put things back like they were before > 98 return value > 99 > 100 def getSigInfo(hdr): > 101 """checks signature from an hdr hand back signature information > and/or > 102 an error code""" > 103 > 104 locale.setlocale(locale.LC_ALL, 'C') > 105 string = > '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|' > 106 siginfo = hdr.sprintf(string) > 107 if siginfo != '(none)': > 108 error = 0 > 109 sigtype, sigdate, sigid = siginfo.split(',') > 110 else: > 111 error = 101 > 112 sigtype = 'MD5' > 113 sigdate = 'None' > 114 sigid = 'None' > 115 > 116 infotuple = (sigtype, sigdate, sigid) > 117 return error, infotuple > ``` > > The case when checkSig returns 4 corresponds to the line 111 above. > > I ran rpm -qi to see the rpm information and I found the value of > 'Signature' field is '(none)'. Is it OK? > > ``` > $ rpm -qi -p > /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm > Name : hn-python2-python-libs > Version : 2.7.11 > Release : 3.el7.centos > Architecture: x86_64 > Install Date: (not installed) > Group : Applications/System > Size : 27548758 > License : Python > Signature : (none) > Source RPM : hn-python2-python-2.7.11-3.el7.centos.src.rpm > Build Date : Wed Dec 23 06:45:59 2015 > Build Host : copr-builder-27528630.novalocal > Relocations : (not relocatable) > Vendor : Fedora Project COPR (hnakamur/hnscl-python2-python) > URL : http://www.python.org/ > Summary : Runtime libraries for Python > Description : > This package contains runtime libraries for use by Python: > - the libpython dynamic library, for use by applications that embed Python as > a scripting language, and by the main "python" executable > - the Python standard library > ``` > > On the other hand, rpm -K print 'md5 OK' on this rpm. > > ``` > $ rpm -K > /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.c > entos.x86_64.rpm > /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm: > sha1 md5 OK > ``` > > Best regards, > Hiroaki Nakamura > > > 2015-12-23 23:30 GMT+09:00 Hiroaki Nakamura <[email protected]>: >> Hi, >> >> 2015-12-23 18:14 GMT+09:00 Patrick Uiterwijk <[email protected]>: >>> Hi, >>> >>> The latest build of your package is correctly signed: >>> hn-python2-python-test-2.7.11-3.el7.centos.x86_64.rpm: RSA sha1 ((MD5) PGP) >>> md5 NOT OK (MISSING KEYS: (MD5) PGP#1256a871) >> >> Thanks for pointing me out. >> >> I installed gpg keys manually with the following commands. >> >> $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg >> https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pubkey.gpg >> $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg >> https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/pubkey.gpg >> $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg >> $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg >> >> And I confirmed python-libs rpm is signed. >> >> $ rpm -K hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm >> hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm: rsa sha1 (md5) pgp >> md5 OK >> >> However I still got the 'is not signed' error with yum install. >> >> $ sudo yum install -y -v hn-python2-python >> Loading "fastestmirror" plugin >> Config time: 0.008 >> Yum version: 3.4.3 >> ...(snip)... >> Package hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm is not signed >> $ echo $? >> 1 >> >> I editted my *.repo files to use file:/// url for gpgkey instead of >> https:// urls, still no luck. >> >> $ cat /etc/yum.repos.d/hnakamur-hnscl-python2.repo >> [hnakamur-hnscl-python2] >> name=Copr repo for hnscl-python2 owned by hnakamur >> baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/epel-7-$basearch/ >> skip_if_unavailable=True >> gpgcheck=1 >> #gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pubkey.gpg >> gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg >> enabled=1 >> enabled_metadata=1 >> $ cat /etc/yum.repos.d/hnakamur-hnscl-python2-python.repo >> [hnakamur-hnscl-python2-python] >> name=Copr repo for hnscl-python2-python owned by hnakamur >> baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/epel-7-$basearch/ >> skip_if_unavailable=True >> gpgcheck=1 >> #gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/pubkey.gpg >> gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg >> enabled=1 >> enabled_metadata=1 >> >> As a workaround, I confirmed I can install my rpms with yum --nogpgcheck >> option. >> >> $ sudo yum install -y --nogpgcheck hn-python2-python >> >> However I'd like to install rpm without --nogpgcheck option. >> Could you give some advice? >> >> Best regards, >> Hiroaki Nakamura >> >> >>> >>> Please note that the very first build in a COPR is not always signed due to >>> a bug (or at least, used to be), but any further builds should be signed. >>> >>> With kind regards, >>> Patrick Uiterwijk >>> Fedora Infra >>> >>> ----- Original Message ----- >>>> Hello. >>>> >>>> How to make sure rpms to be signed on copr? >>>> >>>> I tried to build my Python2 rpm. It was built successfully but is was >>>> not signed. >>>> https://copr.fedoraproject.org/coprs/hnakamur/hnscl-python2-python/ >>>> >>>> I built other rpms and they are signed. >>>> https://copr.fedoraproject.org/coprs/hnakamur/varnish-head/ >>>> https://copr.fedoraproject.org/coprs/hnakamur/libvmod-header/ >>>> >>>> I don't why my Python2 rpm was not signed. >>>> I'd like to know the way to make sure rpms are signed on copr. >>>> >>>> >>>> By the way, thanks for a great service like copr! >>>> It is very useful! >>>> >>>> Best regards, >>>> Hioraki Nakamura >>>> _______________________________________________ >>>> copr-devel mailing list >>>> [email protected] >>>> https://lists.fedorahosted.org/admin/lists/[email protected] >>>> >>> _______________________________________________ >>> copr-devel mailing list >>> [email protected] >>> https://lists.fedorahosted.org/admin/lists/[email protected] >> >> >> >> -- >> Hioraki Nakamura )[email protected]) > > > > -- > Hioraki Nakamura )[email protected]) -- Hioraki Nakamura )[email protected]) _______________________________________________ copr-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
