X2Go Bug report logs - #897
epel 5 repos have signature errors

version graph

Package: buildscripts; Maintainer for buildscripts is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Christian Trenkwalder <christian.trenkwalder@nxp.com>

Date: Tue, 30 Jun 2015 09:40:02 UTC

Severity: normal

Found in version 0

Done: Mihai Moldovan <ionic@ionic.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#897; Package <buildscripts>. (Tue, 30 Jun 2015 09:40:02 GMT) (full text, mbox, link).


Acknowledgement sent to Christian Trenkwalder <christian.trenkwalder@nxp.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>.

Your message had a Version: pseudo-header with an invalid package version:

x2goserver.x86_64

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Tue, 30 Jun 2015 09:40:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Christian Trenkwalder <christian.trenkwalder@nxp.com>
To: <submit@bugs.x2go.org>
Subject: epel 5 repos have signature errors
Date: Tue, 30 Jun 2015 11:22:01 +0200
[Message part 1 (text/plain, inline)]
Package: <buildscripts>
Version: x2goserver.x86_64
0:4.0.1.19-0.0x2go2.1.git20150608.1064.main.el5.centos

Hello,
im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get
the following error for more than 1 dependency:

> Header V3 RSA/SHA1 signature: BAD

For the full log see the attachemend, i think this may be just like #699.


[log.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#897; Package <buildscripts>. (Tue, 30 Jun 2015 19:10:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 30 Jun 2015 19:10:02 GMT) (full text, mbox, link).


Message #10 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: Christian Trenkwalder <christian.trenkwalder@nxp.com>, 897@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#897: epel 5 repos have signature errors
Date: Tue, 30 Jun 2015 21:09:50 +0200
[Message part 1 (text/plain, inline)]
On 30.06.2015 11:22 AM, Christian Trenkwalder wrote:
> im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get
> the following error for more than 1 dependency:
> 
>> Header V3 RSA/SHA1 signature: BAD
> 
> For the full log see the attachemend, i think this may be just like #699.

Probably not, though. The packages are using Header V3, #699 was about V4 being
unsupported on RHEL5.

How does your yum repo file look like? is gpgCheck enabled? If yes, does
disabling it solve your problem?



Mihai

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#897; Package <buildscripts>. (Wed, 01 Jul 2015 10:05:01 GMT) (full text, mbox, link).


Acknowledgement sent to Christian Trenkwalder <christian.trenkwalder@nxp.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 01 Jul 2015 10:05:02 GMT) (full text, mbox, link).


Message #15 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Christian Trenkwalder <christian.trenkwalder@nxp.com>
To: Mihai Moldovan <ionic@ionic.de>, <897@bugs.x2go.org>
Subject: Re: [X2Go-Dev] Bug#897: epel 5 repos have signature errors
Date: Wed, 1 Jul 2015 11:29:34 +0200
[Message part 1 (text/plain, inline)]
The repo looks as followed (same holds for the [x2go-extras-epel]), i
manually disabled the gpgcheck, but it changes nothing.


> [x2go-release-epel]
> name=Upstream X2Go EPEL Packages (Release Builds)
> baseurl=http://packages.x2go.org/epel/$releasever/main/$basearch
> gpgcheck=0
> gpgkey=http://packages.x2go.org/pub.key
> enabled=1
> protect=0

what i did now was using the testing repo for the EPEL packages, and
then the installation worked.




Am 30.06.2015 um 21:09 schrieb Mihai Moldovan:
> On 30.06.2015 11:22 AM, Christian Trenkwalder wrote:
>> im using Red Hat Enterprise Linux Client release 5.8 (Tikanga) and get
>> the following error for more than 1 dependency:
>>
>>> Header V3 RSA/SHA1 signature: BAD
>>
>> For the full log see the attachemend, i think this may be just like #699.
> 
> Probably not, though. The packages are using Header V3, #699 was about V4 being
> unsupported on RHEL5.
> 
> How does your yum repo file look like? is gpgCheck enabled? If yes, does
> disabling it solve your problem?
> 
> 
> 
> Mihai
> 

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#897; Package <buildscripts>. (Wed, 01 Jul 2015 16:15:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 01 Jul 2015 16:15:02 GMT) (full text, mbox, link).


Message #20 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: 897@bugs.x2go.org
Subject: Re: [X2Go-Dev] epel 5 repos have signature errors
Date: Wed, 1 Jul 2015 18:13:58 +0200
[Message part 1 (text/plain, inline)]
[resent to bug report specifically]

On 01.07.2015 12:45 PM, Ulrich Sibiller wrote:
> Am 01.07.2015 um 11:29 schrieb Christian Trenkwalder:
>> The repo looks as followed (same holds for the [x2go-extras-epel]), i
>> manually disabled the gpgcheck, but it changes nothing.
>
>
> I am not sure if this is relevant here, but I just wanted to throw in, that
> if you generate Repos for RHEL5 on RHEL6 or 7 you must explicitly call
> createrepo with -s sha1 or -s sha.


I'm painfully aware of that:
http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-package;h=0fdea9a9b6366e514d1c254fc1bacda88982265e;hb=HEAD#l873

That shouldn't be the problem, we've been doing this quite a while now.

BUT we do sign the packages with an 2048 bit RSA key. While this is not a bad
idea per se, I've read that RHEL5's rpm only supports 1024 bit RSA or DSA keys...


Looks like I have to create an 1024 bit subkey, upload that to the keyservers,
put it into the Debian keyring, add it to http://packages.x2go.org/pub.key and
sign all RHEL 5 packages with that weak one?


Maybe Christian would have needed to also run "yum clean" and maybe even delete
the downloaded key file in addition to disabling gpgcheck in order to make RPM
not check the signatures anymore.

Given that he switched to the official EPEL repo, I assume(?) I can't continue
debugging this (well, short of creating a CentOS 5 VM...)



Mihai






[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#897; Package <buildscripts>. (Wed, 01 Jul 2015 23:50:01 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>, 897@bugs.x2go.org:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 01 Jul 2015 23:50:01 GMT) (full text, mbox, link).


Message #25 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: 897@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#897: epel 5 repos have signature errors
Date: Thu, 2 Jul 2015 01:49:52 +0200
[Message part 1 (text/plain, inline)]
On 01.07.2015 06:13 PM, Mihai Moldovan wrote:
> BUT we do sign the packages with an 2048 bit RSA key. While this is 
> not a bad idea per se, I've read that RHEL5's rpm only supports 1024 
> bit RSA or DSA keys...
> 
> 
> Looks like I have to create an 1024 bit subkey, upload that to the 
> keyservers, put it into the Debian keyring, add it to 
> http://packages.x2go.org/pub.key and sign all RHEL 5 packages with 
> that weak one?

Created a VM and tested this hunch with one package. Looks like I was right. Will update the buildscript now and re-sign manually for now...


Mihai

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#897; Package <buildscripts>. (Thu, 02 Jul 2015 01:45:01 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>, 897@bugs.x2go.org:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 02 Jul 2015 01:45:01 GMT) (full text, mbox, link).


Message #30 received at 897@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: 897@bugs.x2go.org
Subject: Re: [X2Go-Dev] epel 5 repos have signature errors
Date: Thu, 2 Jul 2015 03:41:44 +0200
[Message part 1 (text/plain, inline)]
Control: reassign -1 buildscripts 0
Control: close -1


On 02.07.2015 01:49 AM, Mihai Moldovan wrote:
> Created a VM and tested this hunch with one package. Looks like I was right. Will update the buildscript now and re-sign manually for now...

Changed the buildscripts in this commit to use the new GPG key for EPEL 5
(package and repo data signing):
http://code.x2go.org/gitweb?p=buildscripts.git;a=blob;f=bin/build-rpm-package;h=8af6d23fa7fdc5270993cbf2a19e839d9f78df83;hb=e6f76455ac92c08197f6d50e0dee989ff548a0d1

Additionally, all packages will be signed with the "new" GPG key.


I have verified that packages can now be successfully installed in a CentOS 5.8 VM.


Re-signing of the packages in the repository and the repo data is currently
underway.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Bug reassigned from package '&lt;buildscripts&gt;' to 'buildscripts'. Request was from Mihai Moldovan <ionic@ionic.de> to 897-submit@bugs.x2go.org. (Thu, 02 Jul 2015 01:45:02 GMT) (full text, mbox, link).


Marked as found in versions 0. Request was from Mihai Moldovan <ionic@ionic.de> to 897-submit@bugs.x2go.org. (Thu, 02 Jul 2015 01:45:02 GMT) (full text, mbox, link).


Marked Bug as done Request was from Mihai Moldovan <ionic@ionic.de> to 897-submit@bugs.x2go.org. (Thu, 02 Jul 2015 01:45:02 GMT) (full text, mbox, link).


Notification sent to Christian Trenkwalder <christian.trenkwalder@nxp.com>:
Bug acknowledged by developer. (Thu, 02 Jul 2015 01:45:02 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Thu, 30 Jul 2015 05:24:01 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 11 20:26:10 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.