If you've ever encountered the maddening world of RPM signing issues, you're not alone. The combination of RPM 4.4.2.3 on CentOS/RHEL 5 with various GPG key types creates a perfect storm of cryptographic frustration.
Here's what you might be seeing:
$ rpm -v -K package.rpm
package.rpm:
Header V3 DSA signature: NOKEY, key ID 92fb1e62
Header SHA1 digest: OK
V3 DSA signature: NOKEY, key ID 92fb1e62
Or even worse:
$ rpm -v -K package.rpm
Header V3 RSA/SHA1 signature: BAD, key ID 1fc138cc
After extensive testing across CentOS 5, 6, and Fedora systems, several key patterns emerge:
- GPG key size and type matters (DSA vs RSA)
- RPM version compatibility issues
- Strange passphrase handling differences
- Signature format limitations
For CentOS 5 systems, here's what actually works:
1. Key Generation Best Practices
Generate your key with these parameters:
$ gpg --gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
2. Proper RPM Configuration
Edit your ~/.rpmmacros file:
%_signature gpg
%_gpg_path /path/to/gnupg
%_gpg_name your-key-id
%_gpgbin /usr/bin/gpg
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs \
--digest-algo=sha1 --batch --no-verbose \
--no-armor --passphrase-fd 3 --no-secmem-warning \
-u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
3. Verification Workarounds
For the NOKEY issue, try:
$ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-yourkey
$ rpm -qa gpg-pubkey-*
$ rpm --checksig --verbose package.rpm
If you're still seeing issues, try these diagnostic steps:
Checking GPG Agent
$ gpg-agent --daemon --verbose
$ export GPG_TTY=$(tty)
Examining RPM Headers
$ rpm -qip package.rpm --qf '%{SIGGPG:pgpsig} %{SIGGPG:pgpsig}\n'
$ rpm -qip package.rpm --qf '%{SIGPGP:pgpsig} %{SIGPGP:pgpsig}\n'
Alternative Signing Method
Try signing outside of RPM:
$ gpg --detach-sign --armor package.rpm
$ rpm --addsign package.rpm
For Fedora systems experiencing the "Unsupported PGP signature" error, you'll need to:
$ sudo dnf install rpm-sign
$ echo "%_gpg_sign_cmd %{__gpg} \
--batch --no-verbose --no-armor \
--passphrase-fd 3 --pinentry-mode loopback \
--digest-algo sha256 --no-secmem-warning \
-u '%{_gpg_name}' -sbo %{__signature_filename} \
%{__plaintext_filename}" >> ~/.rpmmacros
If you've ever encountered the maddening combination of NOKEY and BAD signature errors when working with RPM packages on RHEL/CentOS 5 systems, you're not alone. The frustration is real when your freshly signed RPMs fail verification with the same key that just signed them.
First, let's establish the baseline environment where these issues manifest:
$ cat /etc/redhat-release
CentOS release 5.10 (Final)
$ rpm --version
RPM version 4.4.2.3
$ gpg --version
gpg (GnuPG) 1.4.5These are the typical symptoms you might encounter:
Case 1: NOKKEY After Successful Import
$ sudo rpm --import /tmp/packagers
$ rpm -qa gpg*
gpg-pubkey-92fb1e62-54001945
$ rpm -v -K test.el5.x86_64.rpm
test.el5.x86_64.rpm:
Header V3 DSA signature: NOKEY, key ID 92fb1e62Case 2: BAD Signature on Freshly Signed Packages
$ rpm --define '%_gpg_name XXX@XXX.com' --resign test.x86_64.rpm
Enter pass phrase:
Pass phrase is good.
$ rpm -v -K test.x86_64.rpm
test.x86_64.rpm:
Header V3 RSA/SHA1 signature: BAD, key ID 1fc138ccThe core issue stems from several factors:
- Outdated RPM version (4.4.2.3) with known signature verification bugs
- Incompatibility between GPG key types and RPM's signature verification
- Subkey handling differences between GPG and RPM
Here are the most effective workarounds I've found:
Solution 1: Use Specific Key Types and Sizes
For CentOS 5, stick to these combinations:
# 1024-bit RSA key works most reliably
gpg --gen-key
(1) RSA and RSA (default)
Keysize: 1024
Expiration: 0 (key does not expire)Solution 2: Proper Key Configuration
Ensure your ~/.rpmmacros contains:
%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name Your Name
%_gpgbin /usr/bin/gpg
%__gpg_sign_cmd %{__gpg} \
--no-verbose --no-armor --no-secmem-warning \
--batch --no-tty \
--passphrase-fd 3 \
--default-key "%{_gpg_name}" \
-sbo %{__signature_filename} %{__plaintext_filename} Solution 3: Alternative Signing Method
For problematic systems, try this manual signing approach:
# Export the signature separately
rpm --dump-signature package.rpm > sig.tmp
gpg --detach-sign --armor sig.tmp
mv sig.tmp.asc sig.tmp
# Apply the signature
cat sig.tmp | rpm --addsign package.rpmWhen standard verification fails, try:
# Extract and verify manually
rpm2cpio package.rpm | cpio -idmv
gpg --verify /path/to/signature /path/to/packageBefore giving up, verify all these elements:
- GPG key is in RPM database (
rpm -qa gpg-pubkey*) - Correct
%_gpg_nameis set in rpmmacros - GPG agent isn't interfering (
gpg-agent --daemon) - No subkeys are involved in signing
- Passphrase contains no special characters
Remember that these issues largely disappear on CentOS 6+ and RHEL 7+ systems with modern RPM versions. The most reliable solution might be upgrading your build environment while maintaining compatibility for older target systems.