[yocto] RPM bogus signature

Dmytro Milinevskyy milinevskyy at gmail.com
Sat Apr 16 05:57:56 PDT 2016 

Hello,

currently I'm trying to enforce rpm signature verification on the target
device and get weird bogus signature of the RPM packages when the signature
is not enabled in the configuration.
The main issue that this signature is considered as valid by the RPM 5.4.14
which is used by Yocto. And thus it is "correctly" installed by "smart"
packaging system on the target.

For example here 2 packages built w/o signing. Both packages have different
keys and RPM is not complaining:
>tmp/sysroots/x86_64-linux/usr/bin/rpm -Kv
./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm
./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm
./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm:
    Header V4 DSA signature: OK, key ID bd8f688a
    Header SHA1 digest: OK (45dfa7cbfe3cfc3a6c4a928e58b100d81f5a367d)
    MD5 digest: OK (a8450299f5c2d9adecc4bda799b7038d)
./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm:
    Header V4 DSA signature: OK, key ID bc6abdd3
    Header SHA1 digest: OK (e95dc6b40965224ae443460117fe2ada4f855b2d)
    MD5 digest: OK (1dda4ae1673ab96dd9edbdc423df29ac)

Nevertheless the host RPM(rpm4 from ubuntu) is correctly identifying that
the signature is invalid:
>rpm -Kv ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm
./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm
./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm:
    Header V4 DSA/SHA1 Signature, key ID bd8f688a: NOKEY
    Header SHA1 digest: OK (45dfa7cbfe3cfc3a6c4a928e58b100d81f5a367d)
    MD5 digest: OK (a8450299f5c2d9adecc4bda799b7038d)
./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm:
    Header V4 DSA/SHA1 Signature, key ID bc6abdd3: NOKEY
    Header SHA1 digest: OK (e95dc6b40965224ae443460117fe2ada4f855b2d)
    MD5 digest: OK (1dda4ae1673ab96dd9edbdc423df29ac)

Following is an output of properly signed packages. You may see that the
keys are valid(you can also check the pub key on MIT key storage):
rpm -Kv ./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm
./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm
./tmp/deploy/rpm/all/os-release-1.0-r0.all.rpm:
    Header V4 RSA/SHA1 Signature, key ID 5a906f4c: OK
    Header SHA1 digest: OK (e82b83bc3a4713d36548a3ea6b7c0d3c3dc35f1f)
    MD5 digest: OK (e9bfa1fc6a4ae90e84851bfd4583ec29)
./tmp/deploy/rpm/all/tzdata-2016a-r0.all.rpm:
    Header V4 RSA/SHA1 Signature, key ID 5a906f4c: OK
    Header SHA1 digest: OK (d6925400698be829e08bc5013fd28d2c829a2600)
    MD5 digest: OK (427f42d79b83e314f741ff73a672c5dc)


Host RPM version
>rpm --version
RPM version 4.11.2

Yocto RPM version
>tmp/sysroots/x86_64-linux/usr/bin/rpm --version
rpm (RPM) 5.4.14

Yocto version: jethro (1a52eceaa5df89914b6a711defdcf0046e74c7f6)

Best regards,
Dimitri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20160416/943ecd84/attachment.html>

More information about the yocto mailing list