Signing RPM packages with DSA key #112
Comments
bschelberg
pushed a commit
to bschelberg/redline
that referenced
this issue
Sep 28, 2016
…an unverifiable signature IT seems like DSA has been deprecated by some projects, and we're strongly encouraged to move to RSA. However, Redline RPM currently accepts DSA keys for sigining, but signs the package incorrectly, resulting in errors from RPM with errors that are difficult to diagnose.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Signing an RPM package with a DSA key appears to be successful, but generates an RPM with an unverifiable signature.
CentOS 7 (RPM version 4.11.3):
error: skipping package <package> with unverifiable signatureCentOS 6 (RPM version 4.8.0):
error: skipping package <package> with unverifiable v4 signatureThere doesn't seem to be any support in Redline for signing with a DSA key, but neither does the tool fail or even give a warning if the algorithm of the key is not supported.
From my cursory inspection of the code, it looks like the key is passed off to bouncycastle code to generate the signatures, but then added to the RPM in PGP and RSA headers (
SignatureGenerator.prepare()method).Are there any plans to support DSA keys? Or should a check be added to throw an exception if the key is DSA?
The text was updated successfully, but these errors were encountered: