Differences

This shows you the differences between two versions of the page.

--- packages:rpm [2021-02-23 16:45] – no repackage here baggins
+++ packages:rpm [2025-02-27 13:03] (current) – arekm
@@ Line 1: / Line 1: @@
 ====== RPM Package ======
+===== rpm 4.20, sequoia OpenPGP and old packages =====
+TL;DR Packages with non-conformant OpenPGP signatures must be
+resinstalled with --nosignature.
+rpm 4.20 dropped the venerable rpmpgp custom library in favor of
+rpm-sequoia (https://sequoia-pgp.org/). The side effect is that
+sequoia is much stricter in validating signatures and fail if the
+format is non-conformat to the standard. What it means is that
+packages built with rpm5 cannot be installed and ones already
+installed will cause errors and must be reinstalled.
+The former problem is fixed, All packages in main PLD Th repo have been re-signed.
+The later is more involved, because rpm will barf without telling
+which package ails it.
+The easiest way to check if your system is affeted is to run
+''<nowiki>rpm -qa --nosignature --qf ''</nowiki>'' (which should output nothing) and watch
+if you see errors like those at the end of this message.
+In case you do, just run the below command, which will reinstall rpm packages (packages on ftp
+were re-signed to correct signatures).
+  LC_ALL=C rpm -Va --nofiledigest --nofiles --nodigest 2>&1 | \
+  grep 'error: rpmdbNextIterator: skipping h#' | awk '{print $5}' | sort -u | \
+  LC_ALL=C xargs -r rpm -q --qf='%{name}\n' --nosignature --querybynumber | \
+  grep -vE 'package1buitmanuallyduetolicense|package2buitmanuallyduetolicense' | \
+  xargs -r poldek --reinstall --pmopt=--nosignature
+If you get errors about some packages not available (on ftp) from poldek then try reinstalling one by one:
+  [...] (like above)
+  xargs -n 1 -r poldek --reinstall --pmopt=--nosignature
+And possibly uninstall packages that are no longer available and are not needed.
+Final words - while we could stick to rpmpgp_legacy library for now,
+since it still can be used after going through some hoops, it will not
+be pssible in the future, so let's deal with this now.
+Sample errors:
+  error: rpmdbNextIterator: skipping h#    1292
+  Header DSA signature: BAD (header tag 267: invalid OpenPGP signature: Parsing an OpenPGP packet:
+    Failed to parse Signature Packet
+          because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
+                because: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100011 (23))
+                Header SHA1 digest: OK
+  error: Verifying a signature, but no certificate was provided:
+    Signature fcf4 created at Thu Aug 16 07:33:10 2018 invalid: signature is not alive
+          because: Expired on 2018-09-15T07:33:10Z
+  error: rpmdbNextIterator: skipping h#     881
+  Header V4 DSA/SHA1 Signature, key ID 61ac3fd4: BAD
+  Header SHA1 digest: OK
 ===== rpm5 to rpm.org rpm porting status =====
@@ Line 28: / Line 86: @@
 ==== Repackage support ====
-<note warning>Repackage is not supported by rpm.org rpm, so not rely on it.</note>
+<note warning>Repackage is not supported by rpm.org rpm, so do not rely on it.</note>
 ==== Python bindings ====
@@ Line 50: / Line 108: @@
 ===== Spec development =====
-  * rpm.org rpm generates ''rpmlib(ShortCircuited)'' dependencies when package is build using ''%%--short-circuit%%'' option. To disable that add ''%disable_short_circuited_deps 0'' to ~/.rpmmacros
+  * rpm.org rpm generates ''rpmlib(ShortCircuited)'' dependencies when package is build using ''%%--short-circuit%%'' option. To disable that add ''%disable_short_circuited_deps 1'' to ~/.rpmmacros
   * Patch is now run with ''--fuzz=0'' option, add ''%_default_patch_fuzz 2'' to ''~/.rpmmacros'' to keep previous behavior.
   * Package file checksum digests are now SHA256 based, if you need to keep previous behaviour, define ''%_source_filedigest_algorithm 1'' and ''%_binary_filedigest_algorithm 1'' into ''~/.rpmmacros''