Skip to content

fix: exclude legacy RPM targets from GPG signing with recent key#143

Merged
patrick-stephens merged 1 commit intomainfrom
fix_package_signing
Dec 2, 2025
Merged

fix: exclude legacy RPM targets from GPG signing with recent key#143
patrick-stephens merged 1 commit intomainfrom
fix_package_signing

Conversation

@patrick-stephens
Copy link
Contributor

@patrick-stephens patrick-stephens commented Dec 2, 2025
edited by cubic-dev-ai bot
Loading

Legacy OS targets cannot handle more recent GPG keys and just trigger failures when attempting to install the package - even with --nogpgcheck or similar.

See https://serverfault.com/a/624910

RPM fails to validate signed packages, didn't understand v4 GPG signatures but didn't notice it didn't understand them, didn't understand some key sizes and types but didn't notice it didn't understand that, and also choked on subkeys!

You must force GnuPG to use v3 signatures when signing on/for RHEL / CentOS 5 or 6:

%__gpg_sign_cmd %{__gpg} \
    gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
    --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
    -sbo %{__signature_filename} %{__plaintext_filename}
because RPM doesn't check the sigversion or validate the signed package after signing it, and these distros contain GPG versions that default to v4 signatures.

You must also generate a 2048 bit signing-only RSA key with no subkeys.

A couple of relevant bugs:

[RPM seems unable to find (GPG) RSA keys for verifying signatures](https://bugzilla.redhat.com/show_bug.cgi?id=86012)

[rpm --sign with 4096bit or 2048bit RSA key creates broken signature](https://bugzilla.redhat.com/show_bug.cgi?id=436812)

Summary by cubic

Stop signing RPMs for legacy distros (CentOS 6–8, AlmaLinux 8, Rocky 8) to prevent install failures with newer GPG keys. Installs on these platforms now work, and supported targets remain signed.

  • Bug Fixes
    • scripts/sign-packages.sh: sign all RPMs, then remove signatures from legacy targets.
    • install.sh: add INSTALL_ADDITIONAL_PARAMETERS to pass extra package manager flags (e.g., --nogpgcheck) during installation.

Written for commit dd80bdd. Summary will update automatically on new commits.

@patrick-stephens patrick-stephens marked this pull request as ready for review December 2, 2025 13:46
@patrick-stephens patrick-stephens requested a review from a team December 2, 2025 13:46
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 2, 2025
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Prompt for AI agents (all 1 issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="scripts/sign-packages.sh">

<violation number="1" location="scripts/sign-packages.sh:46">
P1: The `tty` command fails with exit status 1 in non-interactive environments (like CI). With `set -e` enabled, this will cause the script to abort before signing any packages. Consider using `GPG_TTY=$(tty 2&gt;/dev/null || true)` or checking if TTY is available first.</violation>
</file>

Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR

@patrick-stephens
fix: exclude legacy RPM targets from GPG signing with recent key
dd80bdd 
Signed-off-by: Patrick Stephens <pat@fluent.do>
@patrick-stephens patrick-stephens merged commit 2994d82 into main Dec 2, 2025
1 check passed
@patrick-stephens patrick-stephens deleted the fix_package_signing branch December 2, 2025 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@patrick-stephens