> On Jan 25, 2015, at 9:26 AM, Jan Rękorajski <bagg...@pld-linux.org> wrote: > > >>> >> >> Try resigning a package with the same key and importing using rpm-5.4.15. >> Does that "fix"? > > No, packages signed with 5.4.15 also fail to verify with it. > The following command is used to sign packages: > > rpm --resign --define '_signature gpg' --define '_gpg_name e4f1bc2d' files > > So, that's not a problem of our setup, from my perspective it looks like > 5.4.15 has broken RSA sig verification, can you look into it? >
I can try to reproduce the verification failure, but I haven’t the private key. … meanwhile there are 5 crypto implementations in rpm, compile/use any/all of BeeCrypt/NSS/OpenSSL/libtomcrypt/libgcrypt, see where the problem lies. >> There were many fixes for RSA signatures in rpm-5.4.15. >> >> These were fixes for known problems repeatedly tested with all five crypto >> implementations, not regressions. >> >> The testing does not exclude a regression, but there are known >> incompatibilities between >> rpm-5.4.15 and earlier versions of RPM with RSA signatures. > > Can you elaborate what kind of incompatibilities we can expect? > Fingerprints were miscalculated for V4 RSA pubkeys, MPI lengths were incorrect for RSA keys/signatures that happened to have 8 leasing zero bits, bit counts in RSA private keys were added (which affects fingerprints), for starters. 73 de Jeff > -- > Jan Rękorajski | PLD/Linux > SysAdm | baggins<at>pld-linux.org <http://pld-linux.org/> | > http://www.pld-linux.org/ <http://www.pld-linux.org/> > _______________________________________________ > pld-devel-en mailing list > pld-devel-en@lists.pld-linux.org <mailto:pld-devel-en@lists.pld-linux.org> > http://lists.pld-linux.org/mailman/listinfo/pld-devel-en > <http://lists.pld-linux.org/mailman/listinfo/pld-devel-en> _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en