[resent to bug report specifically]

On 01.07.2015 12:45 PM, Ulrich Sibiller wrote:
> Am 01.07.2015 um 11:29 schrieb Christian Trenkwalder:
>> The repo looks as followed (same holds for the [x2go-extras-epel]), i
>> manually disabled the gpgcheck, but it changes nothing.
>
>
> I am not sure if this is relevant here, but I just wanted to throw in, that
> if you generate Repos for RHEL5 on RHEL6 or 7 you must explicitly call
> createrepo with -s sha1 or -s sha.


I'm painfully aware of that:
http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-package;h=0fdea9a9b6366e514d1c254fc1bacda88982265e;hb=HEAD#l873

That shouldn't be the problem, we've been doing this quite a while now.

BUT we do sign the packages with an 2048 bit RSA key. While this is not a bad
idea per se, I've read that RHEL5's rpm only supports 1024 bit RSA or DSA keys...


Looks like I have to create an 1024 bit subkey, upload that to the keyservers,
put it into the Debian keyring, add it to http://packages.x2go.org/pub.key and
sign all RHEL 5 packages with that weak one?


Maybe Christian would have needed to also run "yum clean" and maybe even delete
the downloaded key file in addition to disabling gpgcheck in order to make RPM
not check the signatures anymore.

Given that he switched to the official EPEL repo, I assume(?) I can't continue
debugging this (well, short of creating a CentOS 5 VM...)



Mihai