#363 RFE: support signing rpms with multiple keys
Closed: Invalid 2 years ago Opened 3 years ago by kevin.

It would be nice if koji allowed writing out rpms that are signed by multiple keys.

This would help the Fedora around branching time.

Currently: We sign all the rawhide packages with the new key (say f28) and also sign them with the upcoming branched version (f27), then at branching pungi pulls the f27 ones for branched and the f28 ones for rawhide. Unfortunately, this means they cannot be hard linked, so mirrors get every package changed for both trees at branch time.

Ideally: we could have koji write out packages signed with both keys and use them for the branching period so we can hardlink and such.


From the rpmsign man page:

Both of the --addsign and --resign options generate and insert new signatures for each package PACKAGE_FILE given, replacing any existing signatures.
There are two options for historical reasons, there is no difference in behavior currently.

I understand it, an individual rpm file can only have one signature. Has this changed?

You can of course resign with different signature and keep both copies around. Koji supports this. Koji can track multiple cached signatures and write out multiple signed copies for rpms.

Yeah, but that seems out of date:

https://github.com/rpm-software-management/rpm/blob/1b338aa84d4c67fefa957352a028eaca1a45d1f6/doc/manual/format

says: "The Signature can contain multiple signatures, of different types.
There are currently only three types, each with its own tag in the
header structure"

https://github.com/rpm-software-management/rpm/blob/1b338aa84d4c67fefa957352a028eaca1a45d1f6/doc/manual/signatures

According to those --addsign should now just add... but we may need to clarify with rpm maintainers.

Maybe the man page just needs updating, or maybe the the feature was added in F25 (I'm still on 24 here).

This looks tricky actually.

The naive way to support this would be to combine the key values into a single string for the key field in the rpmsigs table. So for a particular multi-signed entry, you'd have a key value like 06021585+4C8DD725. But this would mean that if you asked koji for the 4C8DD725 signed copy, it would think it didn't have it.

Alternately we could modify the schema and track multiple keys per signature. This would actually complicate a lot of things internally.

Right now, Koji refuses to accept resigning. That is, if you've already imported a signature for rpm X with key Y, then Koji won't take another one. Now, with is we have a signature for keys Y+Z and someone tries to import one for just Y. Do we take it? What if we have signatures for keys Y+Z and Y+W, and someone requests a signed copy for key Y. Do we use the Y+Z, the Y+W, or error because we don't have a signature for "just" Y?

Anyway, messy...

I seem unable to create an rpm with multiple signatures.

[mike@localhost fake]$ rpm -q rpm
rpm-4.13.0.1-1.fc24.x86_64
[mike@localhost fake]$ rpm -Kv fake-1.0-1.signed.src.rpm
fake-1.0-1.signed.src.rpm:
    Header SHA1 digest: OK (eb437e5b951da4d6906c476c3d12192095aa7756)
    MD5 digest: OK (d3bfbaf28da58a1cc474330177b55178)
[mike@localhost fake]$ rpmsign --define '_gpg_name mikem@redhat.com' --addsign fake-1.0-1.signed.src.rpm
fake-1.0-1.signed.src.rpm:
[mike@localhost fake]$ rpm -Kv fake-1.0-1.signed.src.rpm
fake-1.0-1.signed.src.rpm:
    Header V4 RSA/SHA256 Signature, key ID 4c8da725: NOKEY
    Header SHA1 digest: OK (eb437e5b951da4d6906c476c3d12192095aa7756)
    V4 RSA/SHA256 Signature, key ID 4c8da725: NOKEY
    MD5 digest: OK (d3bfbaf28da58a1cc474330177b55178)
[mike@localhost fake]$ rpmsign --define '_gpg_name mikem@imponderable.org' --addsign fake-1.0-1.signed.src.rpm
fake-1.0-1.signed.src.rpm:
[mike@localhost fake]$ rpm -Kv fake-1.0-1.signed.src.rpm
fake-1.0-1.signed.src.rpm:
    Header V4 RSA/SHA256 Signature, key ID 89544651: NOKEY
    Header SHA1 digest: OK (eb437e5b951da4d6906c476c3d12192095aa7756)
    V4 RSA/SHA256 Signature, key ID 89544651: NOKEY
    MD5 digest: OK (d3bfbaf28da58a1cc474330177b55178)

How can I generate a multiply signed rpm?

ok, looks like it's not implemented. :( Feel free to close this I guess...

Metadata Update from @mikem:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

2 years ago

side note: I increasingly feel that embedded signatures are a problem. You shouldn't have to modify something to certify it. There are lots of ways we might implement detached signatures.

Yeah, that indeed might be a better way to go.

Login to comment on this ticket.

Metadata