X2Go Bug report logs - #897
epel 5 repos have signature errors

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Christian Trenkwalder <christian.trenkwalder@nxp.com>

To: <submit@bugs.x2go.org>

Subject: epel 5 repos have signature errors

Date: Tue, 30 Jun 2015 11:22:01 +0200

[Message part 1 (text/plain, inline)]

Package: <buildscripts>
Version: x2goserver.x86_64
0:4.0.1.19-0.0x2go2.1.git20150608.1064.main.el5.centos

Hello,
im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get
the following error for more than 1 dependency:

> Header V3 RSA/SHA1 signature: BAD

For the full log see the attachemend, i think this may be just like #699.

[log.txt (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>

To: Christian Trenkwalder <christian.trenkwalder@nxp.com>, 897@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#897: epel 5 repos have signature errors

Date: Tue, 30 Jun 2015 21:09:50 +0200

[Message part 1 (text/plain, inline)]

On 30.06.2015 11:22 AM, Christian Trenkwalder wrote:
> im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get
> the following error for more than 1 dependency:
> 
>> Header V3 RSA/SHA1 signature: BAD
> 
> For the full log see the attachemend, i think this may be just like #699.

Probably not, though. The packages are using Header V3, #699 was about V4 being
unsupported on RHEL5.

How does your yum repo file look like? is gpgCheck enabled? If yes, does
disabling it solve your problem?



Mihai

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Christian Trenkwalder <christian.trenkwalder@nxp.com>

To: Mihai Moldovan <ionic@ionic.de>, <897@bugs.x2go.org>

Subject: Re: [X2Go-Dev] Bug#897: epel 5 repos have signature errors

Date: Wed, 1 Jul 2015 11:29:34 +0200

[Message part 1 (text/plain, inline)]

The repo looks as followed (same holds for the [x2go-extras-epel]), i
manually disabled the gpgcheck, but it changes nothing.


> [x2go-release-epel]
> name=Upstream X2Go EPEL Packages (Release Builds)
> baseurl=http://packages.x2go.org/epel/$releasever/main/$basearch
> gpgcheck=0
> gpgkey=http://packages.x2go.org/pub.key
> enabled=1
> protect=0

what i did now was using the testing repo for the EPEL packages, and
then the installation worked.




Am 30.06.2015 um 21:09 schrieb Mihai Moldovan:
> On 30.06.2015 11:22 AM, Christian Trenkwalder wrote:
>> im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get
>> the following error for more than 1 dependency:
>>
>>> Header V3 RSA/SHA1 signature: BAD
>>
>> For the full log see the attachemend, i think this may be just like #699.
> 
> Probably not, though. The packages are using Header V3, #699 was about V4 being
> unsupported on RHEL5.
> 
> How does your yum repo file look like? is gpgCheck enabled? If yes, does
> disabling it solve your problem?
> 
> 
> 
> Mihai
> 

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>

To: 897@bugs.x2go.org

Subject: Re: [X2Go-Dev] epel 5 repos have signature errors

Date: Wed, 1 Jul 2015 18:13:58 +0200

[Message part 1 (text/plain, inline)]

[resent to bug report specifically]

On 01.07.2015 12:45 PM, Ulrich Sibiller wrote:
> Am 01.07.2015 um 11:29 schrieb Christian Trenkwalder:
>> The repo looks as followed (same holds for the [x2go-extras-epel]), i
>> manually disabled the gpgcheck, but it changes nothing.
>
>
> I am not sure if this is relevant here, but I just wanted to throw in, that
> if you generate Repos for RHEL5 on RHEL6 or 7 you must explicitly call
> createrepo with -s sha1 or -s sha.


I'm painfully aware of that:
http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-package;h=0fdea9a9b6366e514d1c254fc1bacda88982265e;hb=HEAD#l873

That shouldn't be the problem, we've been doing this quite a while now.

BUT we do sign the packages with an 2048 bit RSA key. While this is not a bad
idea per se, I've read that RHEL5's rpm only supports 1024 bit RSA or DSA keys...


Looks like I have to create an 1024 bit subkey, upload that to the keyservers,
put it into the Debian keyring, add it to http://packages.x2go.org/pub.key and
sign all RHEL 5 packages with that weak one?


Maybe Christian would have needed to also run "yum clean" and maybe even delete
the downloaded key file in addition to disabling gpgcheck in order to make RPM
not check the signatures anymore.

Given that he switched to the official EPEL repo, I assume(?) I can't continue
debugging this (well, short of creating a CentOS 5 VM...)



Mihai

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>

To: 897@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#897: epel 5 repos have signature errors

Date: Thu, 2 Jul 2015 01:49:52 +0200

[Message part 1 (text/plain, inline)]

On 01.07.2015 06:13 PM, Mihai Moldovan wrote:
> BUT we do sign the packages with an 2048 bit RSA key. While this is 
> not a bad idea per se, I've read that RHEL5's rpm only supports 1024 
> bit RSA or DSA keys...
> 
> 
> Looks like I have to create an 1024 bit subkey, upload that to the 
> keyservers, put it into the Debian keyring, add it to 
> http://packages.x2go.org/pub.key and sign all RHEL 5 packages with 
> that weak one?

Created a VM and tested this hunch with one package. Looks like I was right. Will update the buildscript now and re-sign manually for now...


Mihai

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>

To: 897@bugs.x2go.org

Subject: Re: [X2Go-Dev] epel 5 repos have signature errors

Date: Thu, 2 Jul 2015 03:41:44 +0200

[Message part 1 (text/plain, inline)]

Control: reassign -1 buildscripts 0
Control: close -1


On 02.07.2015 01:49 AM, Mihai Moldovan wrote:
> Created a VM and tested this hunch with one package. Looks like I was right. Will update the buildscript now and re-sign manually for now...

Changed the buildscripts in this commit to use the new GPG key for EPEL 5
(package and repo data signing):
http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-package;h=8af6d23fa7fdc5270993cbf2a19e839d9f78df83;hb=e6f76455ac92c08197f6d50e0dee989ff548a0d1

Additionally, all packages will be signed with the "new" GPG key.


I have verified that packages can now be successfully installed in a CentOS 5.8 VM.


Re-signing of the packages in the repository and the repo data is currently
underway.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.