rpmsign exits (mysteriously) with code 255 when using DSA key

Description of problem:

When using a DSA GPG key to sign a package in F15, rpmsign exits with code
255 with no other errors/warnings/output. The resulting package is also not
signed at all.

$ cat /etc/redhat-release
Fedora release 15 (Lovelock)

$ rpmsign --version
RPM version 4.9.0

$ gpg --version
gpg (GnuPG) 1.4.11

How reproducible:

Every time

Steps to Reproduce:
1. Create a test GPG key using DSA
2. Add proper macros to ~/.rpmmacros for the key
3. Attempt to sign an rpm package

Actual results:

The package is not signed, no errors are produced, and rpmsign exits with code 255.

Expected results:

The package should be signed.

Additional info:

The following is a full proof of concept.

### GENERATE A TEST KEY

$ gpg --gen-key
# Answers to prompts follow:
#
# Key type (2) DSA and Elgamal
# Key size 2048
# Key is valid for '0' (key does not expire)
# Real name: John Doe
# Email address: <email address hidden>
# Comment: None
#

$ gpg --list-secret-keys
/home/wdierkes/.gnupg/secring.gpg
---------------------------------

sec 2048D/E28D1405 2011-07-05
uid John Doe <email address hidden>
ssb 2048g/10563A7E 2011-07-05

### EXPORTING HERE FOR FUTURE TESTING WITH SAME KEY

$ gpg --armor --export-secret-key E28D1405

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

lQNTBE4ThxsRCACqx3BgKgS1hl99ZkCPHm65RsEC/s0WBzxh/y6h4SRoPVUxXQpp
bUbgAnjYxZxY2HYM+9ViX0buZkpL/7qWPbyIi3eVY6l2/7OJCJe1Ej0UNRrGi4LA
CLmAgTX6gmGLZEdePnNqfeQG8TSdp//HmTXip09gtzvG+8/nCQ61EOkc7CrAEVt7
H/hOX5Z5wEzFjtwLCTBH+fg4Ym15kNUEYfyp0G8C9ywShZ1b9aLAm5U/QJk/Y2JC
Y8ejtD+o6A9uFo63x4rE3r6QxinQNDUca/IZxJDr/w31ZUO0f31YwuTUfxt8zOxy
oMdcsoqsp6doere0Gs1pyr9OhSIXfABfpVwnAQDP7BZxQkg5lUfpOe84shpqd1xK
LG8m3UEUL/7Y+oPcjQf+OfPrLUD8AEl9FzmM3oF4T/S2buwBaBx8Bwi01m1kzeJn
6b5uLDbLc3BYDbUqu5hrzOENkPmmbjvnD4ITJ1jHKnq++Wc9S3CVx52mAdGlNgY2
fOpbE29DmwyYd6pbnU5PyrsHXc2jd1DmI7sP3Bw8YlGpOERsWRGEcvOw71cX4/ld
e92XtOdVaKjuo2cH5iGrrIlESSF2QN58XDSKXgqBEx6Cqvun5Qdb41WwZZYz4sMd
z2kvkzNC0/+JH5ySe+Ii8orttLwD8hqx/YGtuCVnGV+PVrAorAwKva+Eh9S+9zTX
SFLNIZP0pC8uwomKzuuKQXtz7rbbWQ0hULwhofBf+gf8CJou93IhZKfIKPsKRJbb
GAj6/3fmjritxSIMRSsugeFMZnaiAwSXQVHR4vihlOOjJ9+f/fUr0uVLuHvr53xA
wWUICkmu9ITf3x/f+A+ie2GfWqv7gh3knHKncO/o9xmppybDeDMuS4042URfhpuY
Np3HYs4gxFp/QjJ8KsEWUI5lswDnPY5BJHP1xcZ2DS4rHPky+6Mwf9wn+zgNHKUs
6zjxOQ5+9tv69O3dQOkTrgBbVoUH4bQ4AmIeJWpB6dXvHfj7fpycuARbOOuUSjM6
y1ouBfNeeDxufwzgAW6ZjyKmOXQMor00/nl0b/XOg/kA7F8GWTAtELpda8cmT4Sq
jwAA/3DSMtUCQ0G8/SmNNNsB7fnU8VIN7P/7Xo9FQBLP96k6Emq0G0pvaG4gRG9l
IDxqZG9lQGV4YW1wbGUuY29tPoh6BBMRCAAiBQJOE4cbAhsDBgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAKCRDiPFAl4o0UBbrFAQCf8e1DUG5YVDsjDe2FJBNrE5DE
AVYtv7VT+bOuqZCxTwD9FfgTLiQjxJ4+drzXxp3jyq3B8HoYB4R0EQpNsSRg6bOd
Aj0EThOHGxAIAM+rSwjzJns/ULjQATaMQ+lBOzhhny6aC+e5vwanRz6EUNgOh6ac
8fuZ78HG1Zqmy+AwXH9XVnq4isJVtEvxxVH6lgyb/7FxcHUV/rnNBejxA8PdZxrV
WqwV9fA/1IZIzT62cJ1CVq/GNNQEGCXX2G6u7ksHnPdMQKDHtdU1/TN1MmR9I+/o
F4buc3EjJpPGGo+uBARfx8Lc0h1Gg0ncF1gkCx4oo4BHqfM9Zc1a4a5lrzeg9lDf
u9vJ3jN8PfwhNUZ8vbGmy8e8yQ9J8kSCxT7wFb74MXsT5KhtERD29EH4ukL92nGb
xyHTmhHA3s11j47DKLJ00v24NrsBcN/ywEMAAwUIALNj1kCsPhak8JWjWk12sGvx
836GkA6N35UeFRQaTWXmlkL1NIMA1/aYiETixLu8S1ODKUvp78DiAClpOJlVFWgO
47pfi8liYiQufbSHsDTvlA4JLg9nAhug6...

I forgot to note, I also verified successful signing using the same exact steps as above but by selecting 'RSA' when creating the GPG key instead of DSA... in which case the resulting test package *is* signed as expected, verified by looking at the Signature field of 'rpm -qip' of the test package.

Right, there's a missing error message or two somewhere, but the underlying problem is that NSS doesn't support "extended DSA" from FIPS 186-3. In more practical terms, it means that rpm doesn't support DSA with > 1024 key sizes, whereas GPG apparently defaults to 2048bits nowadays.

Here's the NSS bug: https://bugzilla.mozilla.org/show_bug.cgi?id=475578, doesn't seem to be a whole lot happening on it :-/

In the meanwhile, either limit the DSA key to 1024 bits or use RSA keys.

*** Bug 748116 has been marked as a duplicate of this bug. ***

Error message added upstream...

This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping