User Tools

Site Tools


packages:rpm

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
packages:rpm [2021-02-23 16:45] – no repackage here bagginspackages:rpm [2025-02-27 13:03] (current) arekm
Line 1: Line 1:
 ====== RPM Package ====== ====== RPM Package ======
 +
 +===== rpm 4.20, sequoia OpenPGP and old packages =====
 +
 +TL;DR Packages with non-conformant OpenPGP signatures must be
 +resinstalled with --nosignature.
 +
 +rpm 4.20 dropped the venerable rpmpgp custom library in favor of
 +rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
 +sequoia is much stricter in validating signatures and fail if the
 +format is non-conformat to the standard. What it means is that
 +packages built with rpm5 cannot be installed and ones already
 +installed will cause errors and must be reinstalled.
 +
 +The former problem is fixed, All packages in main PLD Th repo have been re-signed.
 +
 +The later is more involved, because rpm will barf without telling
 +which package ails it.
 +
 +The easiest way to check if your system is affeted is to run
 +''<nowiki>rpm -qa --nosignature --qf ''</nowiki>'' (which should output nothing) and watch
 +if you see errors like those at the end of this message.
 +In case you do, just run the below command, which will reinstall rpm packages (packages on ftp
 +were re-signed to correct signatures).
 +
 +  LC_ALL=C rpm -Va --nofiledigest --nofiles --nodigest 2>&1 | \
 +  grep 'error: rpmdbNextIterator: skipping h#' | awk '{print $5}' | sort -u | \
 +  LC_ALL=C xargs -r rpm -q --qf='%{name}\n' --nosignature --querybynumber | \
 +  grep -vE 'package1buitmanuallyduetolicense|package2buitmanuallyduetolicense' | \
 +  xargs -r poldek --reinstall --pmopt=--nosignature
 +  
 +If you get errors about some packages not available (on ftp) from poldek then try reinstalling one by one:
 +
 +  [...] (like above)
 +  xargs -n 1 -r poldek --reinstall --pmopt=--nosignature
 +  
 +And possibly uninstall packages that are no longer available and are not needed.
 +
 +
 +Final words - while we could stick to rpmpgp_legacy library for now,
 +since it still can be used after going through some hoops, it will not
 +be pssible in the future, so let's deal with this now.
 +
 +Sample errors:
 +
 +  error: rpmdbNextIterator: skipping h#    1292
 +  Header DSA signature: BAD (header tag 267: invalid OpenPGP signature: Parsing an OpenPGP packet:
 +    Failed to parse Signature Packet
 +          because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
 +                because: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100011 (23))
 +                Header SHA1 digest: OK
 + 
 +
 +  error: Verifying a signature, but no certificate was provided:
 +    Signature fcf4 created at Thu Aug 16 07:33:10 2018 invalid: signature is not alive
 +          because: Expired on 2018-09-15T07:33:10Z
 +  error: rpmdbNextIterator: skipping h#     881
 +  Header V4 DSA/SHA1 Signature, key ID 61ac3fd4: BAD
 +  Header SHA1 digest: OK
  
 ===== rpm5 to rpm.org rpm porting status ===== ===== rpm5 to rpm.org rpm porting status =====
Line 28: Line 86:
 ==== Repackage support ==== ==== Repackage support ====
  
-<note warning>Repackage is not supported by rpm.org rpm, so not rely on it.</note>+<note warning>Repackage is not supported by rpm.org rpm, so do not rely on it.</note>
  
 ==== Python bindings ==== ==== Python bindings ====
Line 50: Line 108:
 ===== Spec development ===== ===== Spec development =====
  
-  * rpm.org rpm generates ''rpmlib(ShortCircuited)'' dependencies when package is build using ''%%--short-circuit%%'' option. To disable that add ''%disable_short_circuited_deps 0'' to ~/.rpmmacros+  * rpm.org rpm generates ''rpmlib(ShortCircuited)'' dependencies when package is build using ''%%--short-circuit%%'' option. To disable that add ''%disable_short_circuited_deps 1'' to ~/.rpmmacros
   * Patch is now run with ''--fuzz=0'' option, add ''%_default_patch_fuzz 2'' to ''~/.rpmmacros'' to keep previous behavior.    * Patch is now run with ''--fuzz=0'' option, add ''%_default_patch_fuzz 2'' to ''~/.rpmmacros'' to keep previous behavior. 
   * Package file checksum digests are now SHA256 based, if you need to keep previous behaviour, define ''%_source_filedigest_algorithm 1'' and ''%_binary_filedigest_algorithm 1'' into ''~/.rpmmacros''   * Package file checksum digests are now SHA256 based, if you need to keep previous behaviour, define ''%_source_filedigest_algorithm 1'' and ''%_binary_filedigest_algorithm 1'' into ''~/.rpmmacros''
packages/rpm.1614095124.txt.gz · Last modified: 2021-02-23 16:45 by baggins

Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS PLD Linux Driven by DokuWiki