Index ¦ Archives ¦ Atom

Signing RPM packages with subkeys on RHEL7

The problem

RHEL7 doesn't support signing RPM packages with GPG subkeys. The tooling will however allow you to shoot yourself in the foot, allowing you to sign a package with a subkey no problemo.

It is only when you attempt to install the package on a RHEL7 system that the problem becomes obvious. Even after manually importing the gpg public key, the RHEL system won't recognize the signature properly.

So if you are using yubikeys to sign your work, this might be quite a serious problem.

The solution

The problem is fixed in RHEL8, so if you are only now starting out supporting RHEL, it might be a good idea to skip RHEL7 and just target RHEL8.

The rant

Some people only test on their local system. This is bound to lead problems unless you run the exact same operating system as the target you are compiling the package for. The above problem is only present on RHEL7 and RHEL7-based distros, and not on e.g. Fedora, so even if you're immersed in the RedHat ecosystem (and use Fedora locally), you're not going to spot the issue without a testing system.

© Bruno Henc. Built using Pelican. Theme by Giulio Fidente on github.