TL;DR Packages with non-conformant OpenPGP signatures must be resinstalled with –nosignature.

rpm 4.20 dropped the venerable rpmpgp custom library in favor of rpm-sequoia (https://sequoia-pgp.org/). The side effect is that sequoia is much stricter in validating signatures and fail if the format is non-conformat to the standard. What it means is that packages built with rpm5 cannot be installed and ones already installed will cause errors and must be reinstalled.

The former problem is fixed, All packages in main PLD Th repo have been re-signed.

The later is more involved, because rpm will barf without telling which package ails it.

The easiest way to check if your system is affeted is to run rpm -qa --nosignature --qf '' (which should output nothing) and watch if you see errors like those at the end of this message. In case you do, just run the below command, which will reinstall rpm packages (packages on ftp were re-signed to correct signatures).

LC_ALL=C rpm -Va --nofiledigest --nofiles --nodigest 2>&1 | \
grep 'error: rpmdbNextIterator: skipping h#' | awk '{print $5}' | sort -u | \
xargs -r rpm -q --qf='%{name}\n' --nosignature --querybynumber | \
grep -vE 'package1buitmanuallyduetolicense|package2buitmanuallyduetolicense' | \
xargs -r poldek --reinstall --pmopt=--nosignature

Final words - while we could stick to rpmpgp_legacy library for now, since it still can be used after going through some hoops, it will not be pssible in the future, so let's deal with this now.

Sample errors:

error: rpmdbNextIterator: skipping h#    1292
Header DSA signature: BAD (header tag 267: invalid OpenPGP signature: Parsing an OpenPGP packet:
  Failed to parse Signature Packet
        because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
              because: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100011 (23))
              Header SHA1 digest: OK

error: Verifying a signature, but no certificate was provided:
  Signature fcf4 created at Thu Aug 16 07:33:10 2018 invalid: signature is not alive
        because: Expired on 2018-09-15T07:33:10Z
error: rpmdbNextIterator: skipping h#     881
Header V4 DSA/SHA1 Signature, key ID 61ac3fd4: BAD
Header SHA1 digest: OK

• Sat Oct 24 17:15:09 CEST 2020 rpm.org's rpm 4.16.0 ready for testing
• Tue Oct 27 23:21:17 CET 2020 rpm4 on carme
• Wed Dec 2 16:08:18 CET 2020 rpm.org, the story so far (summary)

All of the below is fully automated within the package using Obsoletes/Provides/Requires or postinst/posttrans scriptlets.

Quoting https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb

The current rpm database implementation is based on Berkeley DB 5.x, a version which is unmaintained upstream for several years now. Berkeley DB 6.x is license incompatible so moving to that is not an option. In addition, the existing rpmdb implementation is notoriously unreliable as it's not transactional and has no other means to detect inconsistencies either. Changing to a more sustainable database implementation is long overdue. We propose to change the default rpmdb format to the new sqlite based implementation.

• The rpm database format changes from Berkeley DB to SQLite, conversion is automatic after rpm package set update. Backup of the old database is saved as /var/lib/rpm.rpmbackup-VERSION-RELEASE, using version and release of the package that is installed (not the old one). Ex. if the old package was rpm-5.4.15-58 and the new one is rpm-4.16.1.2-1, the backup of the database will be in /var/lib/rpm.rpmbackup-4.16.1.2-1.
• Users who have a particular need to stay on Berkeley DB backend can still do so by overriding the configuration manually (eg. echo '%_db_backend bdb' >> /etc/rpm/macros) before updating rpm package.
• It is also possible to convert back bu overriding _db_backend and running ''rpm --rebuilddb''.

While rpm5 provided only Python 2 bindings, rpm.org rpm provides only Python 3 bindings.

rpm.org rpm does not support hrmib integration.

• Suggests are now Recommends,
• Obsoletes/Provides must follow the package naming rules, they cannot contain characters like () or /, what means packages cannot depend on path/files or same virtual dependency names (ex. perl::Foo is not accepted).
• Minor spec syntax changes
  • Spaces around operators in dependencies are required (ex. BuildRequires: foo-devel >= 1.0)
  • Bare words are no longer supported, please use “…” (ex. %if “%{_lib}” != “lib”)
  • Symlinks are always packaged with 777 mode and using %attr() for symlink is reported as warning
  • Requires(triggerpostun) is not supported, replace with Requires(postun).

• rpm.org rpm generates rpmlib(ShortCircuited) dependencies when package is build using --short-circuit option. To disable that add %disable_short_circuited_deps 1 to ~/.rpmmacros
• Patch is now run with –fuzz=0 option, add %_default_patch_fuzz 2 to ~/.rpmmacros to keep previous behavior.
• Package file checksum digests are now SHA256 based, if you need to keep previous behaviour, define %_source_filedigest_algorithm 1 and %_binary_filedigest_algorithm 1 into ~/.rpmmacros