Signed RPM failed to install using dnf on RHEL8 and RHEL9

[ctron]

reported by: @tobias1703

A package that is signed, can be successfully verified on RHEL7, 8, 9 (using rpm -K), but when creating a YUM repository using createrepo, it fails to install on RHEL 8 and 9 with the following error:

Package test.rpm is not signed
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED

Reproducer: https://github.com/tobias1703/rpm-builder-test

Remaining tasks:

• Allow adding a V3 signature (of payload and header) eclipse/packager#42 - so that rpmkeys finds the V3 header
• Allow adding the fill payload digest eclipse/packager#43 - so that rpmkeys finds the full payload digest
• Release Eclipse Packager
• Make use of this functionality in the RPM builder

[ctron]

Interestingly it can be installed successfully using dnf install test.rpm.

[ctron]

It looks like the message originates here: https://github.com/rpm-software-management/dnf/blob/7b52f20604aa9b308d68883aabe5b3a36ff1d4db/dnf/base.py#L1390

[ctron]

Which is triggered by the outcome of this:

https://github.com/rpm-software-management/dnf/blob/f9f07492f08c1966524dfd5066ae913501980477/dnf/rpm/miscutils.py#L36-L61

[ctron]

The input for this comes from rpmkeys, executing the same command (with the same arguments) results in:

[root@2adb210281de myrepo]# rpmkeys --checksig --verbose '--define=_pkgverify_level signature' '--define=_pkgverify_flags 0x0' test.rpm 
test.rpm:
    Header V4 RSA/SHA256 Signature, key ID fa569ade: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    Payload SHA256 ALT digest: NOTFOUND
    RSA signature: NOTFOUND
    DSA signature: NOTFOUND
    MD5 digest: OK

So I guess, one of the NOTFOUNDs triggers this response.

[ctron]

Checking with an rpm from RHEL9, this compares to:

yum-utils-4.0.24-4.el9_0.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID fd431d51: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID fd431d51: OK
    MD5 digest: OK

[ctron]

Comparing that to the output of rpmcheck of RHEL7:

[root@26c410b57805 myrepo]# rpmkeys --checksig --verbose '--define=_pkgverify_level signature' '--define=_pkgverify_flags 0x0' test.rpm
test.rpm:
    Header V4 RSA/SHA256 Signature, key ID fa569ade: OK
    Header SHA1 digest: OK (ed3d708091c78619c1a0f2ce0045fad5d1278feb)
    MD5 digest: OK (b68fa9e7e4b20a253d41e65abe78f26c)

[ctron]

I think I have found out what is wrong: It seems as if RPM has a V4 signature header (which Eclipse Packager and thus the RPM builder plugin) create. Which only signs the header, but with the header also signs the header entries containing the payload digests. This is faster, but triggers the rpmkeys tool to complain about "missing" information.

The V3 signature signs both headers and payload, but is slower.

So, what needs to be done: (see first comment)

I have a working version locally. So all that needs to the done is to orchestrate a few PRs and create new versions.

[ctron]

This is released as 1.9.0.