RPM

Comment 10 for bug 635868

Revision history for this message
In , Till (till-redhat-bugs) wrote :

The suspend2 key is not a 4096 bit key:

$ gpg --with-fingerprint --keyid-format long SUSPEND2-RPM-KEY
pub 1024R/86A0081B22B2951D

But I see the same problems with the kernel-tuxonice on my Fedora 10. But this is another bug then the one I reported:

Unsigned package:
http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm.unsigned

Signed package:
http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm

Public Key:
http://till.fedorapeople.org/4096-RSA-rpm-bug/RPM-GPG-KEY-opensource-till-name-2007-06-22

Steps to reproduce:
This uses a local rpm database in $PWD/rpm-db to make it possible to reproduce this without being root or compromising the own rpm database with untrusted keys:

1. rpm --verbose --dbpath $PWD/rpm-db --import http://till.fedorapeople.org/4096-RSA-rpm-bug/RPM-GPG-KEY-opensource-till-name-2007-06-22

2. LANG=C rpm --verbose --dbpath $PWD/rpm-db --checksig http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm

http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm:
    Header V4 RSA/SHA512 signature: BAD, key ID 1c109517
    Header SHA1 digest: OK (b3398044a25fe5bc5e4c5bded44c0dd5d10e13db)
    V4 RSA/SHA512 signature: BAD, key ID 1c109517
    MD5 digest: OK (f16dd8cfcf437beb6d467e4f652c6bbd)

3.
LANG=C rpm --verbose -qip http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm

error: http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm: Header V4 RSA/SHA512 signature: BAD, key ID 1c109517
error: http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm: not an rpm package (or package manifest)

Here is also a sha1 signed rpm package, that does not work:
http://till.fedorapeople.org/4096-RSA-rpm-bug/obsoletes-test-1-1.tillf8.noarch.rpm.sha1signed