Issue
I'm building a project based in the yocto openembedded environment. I have set up gpg signing using the sign_rpm recipe.
I then plan to upload the rpms for use with Smart.
Having set up the correct public keys on the development board, I can verify that the rpms generated by the build are signed correctly (using rpm -K.) I can also verify that the files generated before this do not pass the verification.
The problem: When my co-worker (who has neither the changes to recipes to generate signed files nor the private key) generates a build and I pull it down through Smart, the files appear as signed.
Files I have signed report:
(sha1) dsa sha1 md5 OK
Files he has uploaded (or copied directly to me) report the same.
Since I am gpg signing the files (or at least I believe I am) should I be seeing gpg in the output of the rpm -K command?
And to call this out once more, the rpm I copied over before I built the signed rpms shows correctly that it's unsigned:
RSA sha1 md5 NOT_OK
Hopefully I've explained this well enough someone can see why: A - files that shouldn't be signed pass the signing check, and B - why older rpms fail the check as expected.
Solution
RPM --checksig used "gpg" and "pgp" for header+payload signatures which are no longer used in RPM5.
The algorithm names "rsa" and "dsa" and "ecdsa" are displayed for header-only signatures.
Answered By - Jeff Johnson Answer Checked By - Mary Flores (WPSolving Volunteer)