====== Resign a GPG key for rpm ======

===== the reason why =====
In RHEL9 the rpm system no longer accepts SHA1 signed gpg keys. This is because OpenSSL, which is used in compilation of gpg, no longer accepts SHA1, and has a minimum requirement of SHA512.

The packages in a repository are signed with the SHA1 signed key, now we resign the gpg key it self but the signage on the package is still valid. (hopefully)

importing the SHA1 gpg key to rpm will trow an error:\\

''%%sudo rpm --import EXAMPLEKEY-SHA1-public.gpg%%''
<code>
error: EXAMPLEKEY-SHA1-public.gpg: key 1 import failed.
</code>
===== get the original keys =====

<note important>N.B you will also need the passphrase for the secret key. </note>

On the system where the keys were originally made with ''%%gpg --gen-key%%''.

List the private keys on the system: ''%%gpg --list-secret-keys%%''
<code>
/root/.gnupg/pubring.gpg
------------------------
sec   2048R/C3FAC3BD 2019-02-09
uid                  EXAMPLEKEY
ssb   2048R/4AEACD3A 2019-02-09
</code>

Export the key with : \\ ''%%gpg --export-secret-keys C3FAC3BD >secret-key.gpg%%''

Or copy the entire directory ''~/.gnupg'' to the other system and adjust the owner and group of the files.

===== Import the private keys =====

On the new system you need to import the private key, transport the exported key to the system you want to use it on.

First install some software you need: \\
''dnf install -y pinentry''

Then import the key with: \\
''%%gpg --import secret-key.gpg%%''

When prompted enter the passphrase or "pin" for the secret key.
<code>
 ┌───────────────────────────────────────────────────────────────┐
 │ Please enter the passphrase to import the OpenPGP secret key: │
 │ "EXAMPLEKEY"                                                  │
 │ 2048-bit RSA key, ID 0447A2B8C3FAC3BD,                        │
 │ created 2016-02-09.                                           │
 │                                                               │
 │                                                               │
 │ Passphrase: _________________________________________________ │
 │                                                               │
 │         <OK>                                   <Cancel>       │
 └───────────────────────────────────────────────────────────────┘

</code>

<code>
gpg: key 0447A2B8C3FAC3BD: "EXAMPLEKEY" not changed
gpg: key 0447A2B8C3FAC3BD: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

</code>

===== Resign the secret key =====

Do this by: \\
''%%gpg --cipher-algo IDEA --cert-digest-algo sha256 --expert --edit-key secret-key.gpg%%''

<code>
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/0447A2B8C3FAC3BD
     created: 2019-02-09  expires: never       usage: SC
     trust: unknown       validity: unknown
ssb  rsa2048/5CA7D2244AEACD3A
     created: 2019-02-09  expires: never       usage: E
[ unknown] (1). EXAMPLEKEY
</code>
<code>
gpg> sign
"RWSBUILD" was already signed by key 0447A2B8C3FAC2BD
Do you want to sign it again anyway? (y/N) y

sec  rsa2048/0447A2B8C3FAC3BD
     created: 2019-02-09  expires: never       usage: SC
     trust: unknown       validity: unknown
 Primary key fingerprint: FF7E B743 48CB CA81 256B  28C7 0447 A2B8 C3FA C3BD

     EXAMPLEKEY

Are you sure that you want to sign this key with your
key "EXAMPLEKEY" (0447A2B8C3FAC3BD)

This will be a self-signature.

Really sign? (y/N) y
</code>
In the test popup, set the pin to the same it was before.

And save:
<code>
gpg> save
</code>

===== public key signage propagation workaround =====

At this point there is still a problem with the sub keys, they are somehow not updated. You can see this when uoy check the signatures:\\

''%%gpg --check-sigs%%''

<code>
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/home/abel/.gnupg/pubring.kbx
-----------------------------
pub   rsa2048 2019-02-09 [SC]
      FF7EB74348CBCA81256B28C70447A2B8C3FAC3BD
uid           [ unknown] EXAMPLEKEY
sig!3        0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY
sig!3        0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY
sub   rsa2048 2019-02-09 [E]
sig!         0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY

gpg: 3 good signatures
</code>
the last signature was set at 2019-02-09.

fix this by toggleing the expiration date: \\
''%%gpg --edit-key EXAMPLEKEY%%''

<code>
gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: no ultimately trusted keys found
sec  rsa2048/0447A2B8C3FAC3BD
     created: 2019-02-09  expires: never       usage: SC
     trust: unknown       validity: unknown
ssb  rsa2048/5CA7D2244AEACD3A
     created: 2019-02-09  expires: never       usage: E
[ unknown] (1). EXAMPLEKEY

gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3
Key expires at Sun 26 Jun 2022 02:56:28 PM CEST
Is this correct? (y/N) y

sec  rsa2048/0447A2B8C3FAC3BD
     created: 2019-02-09  expires: never       usage: SC
     trust: unknown       validity: unknown
ssb* rsa2048/5CA7D2244AEACD3A
     created: 2019-02-09  expires: 2022-06-26  usage: E
[ unknown] (1). EXAMPLEKEY
</code>
And save:
<code>
gpg> save
</code>

Edit again, and remove the expiration:
<code>
gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: no ultimately trusted keys found
sec  rsa2048/0447A2B8C3FAC3BD
     created: 2019-02-09  expires: never       usage: SC
     trust: unknown       validity: unknown
ssb* rsa2048/5CA7D2244AEACD3A
     created: 2019-02-09  expires: 2022-06-26  usage: E
[ unknown] (1). EXAMPLEKEY

gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

sec  rsa2048/0447A2B8C3FAC3BD
     created: 2019-02-09  expires: never       usage: SC
     trust: unknown       validity: unknown
ssb  rsa2048/5CA7D2244AEACD3A
     created: 2019-02-09  expires: never       usage: E
[ unknown] (1). EXAMPLEKEY
</code>
And save again:
<code>
gpg> save
</code>

Now to see if this did the trick, Check the signatures again: \\ ''%%gpg --check-sigs%%''

<code>
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/home/abel/.gnupg/pubring.kbx
-----------------------------
pub   rsa2048 2019-02-09 [SC]
      FF7EB74348CBCA81256B28C70447A2B8C3FAC3BD
uid           [ unknown] EXAMPLEKEY
sig!3        0447A2B8C3FAC3BD 2019-02-09  EXAMPLEKEY
sig!3        0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY
sub   rsa2048 2019-02-09 [E]
sig!         0447A2B8C3FAC3BD 2022-06-23  EXAMPLEKEY

gpg: 3 good signatures
</code>

===== Use the public key =====

Export the public gpg key for use in rpm: \\
''%%gpg --output EXAMPLEKEY-SHA512-public.pgp --armor --export EXAMPLEKEY%%''



Then import this gpg key to rpm on a clean system:\\
''%%sudo rpm --import EXAMPLEKEY-SHA512-public.pgp%%''

<note important>WORK IN PROGRESS</note>
===== check if an rpm is signed with the same key =====

download the public key from the repository: ''%%curl  https://<repourl>/gpg_key_content -o retreived-gpg-pub.key%%''

display some content op the key: ''gpg retreived-gpg-pub.key''

<code>
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048 2019-02-09 [SC]
      FF7EB12345CBCA81256B28C70447A2B8C3FAC3BD
uid           EXAMPLEKEY
sub   rsa2048 2019-02-09 [E]
</code>

list the signature from the rpm file: ''rpm -qip --nosignature example.rpm | grep Signature''
<code>
Signature   : RSA/SHA2, Wed 15 Jun 2022 02:19:41 PM CEST, Key ID 0447a2b8c3fac3bd
</code>

the last 16 characters of the long HEX number in the gpg output should match the characters in the signature of the rpm (albeit lower case)

==== alternative method ====

After importing the public key : ''%% gpg --list-keys%%''

<code>
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/C3FAC3BD 2019-02-09
uid                  EXAMPLEKEY
sub   2048R/4AEACD3A 2019-02-09
</code>

''%%rpm --checksig filename.rpm%%''
<code>
./filename.rpm:
    Header V4 RSA/SHA1 Signature, key ID c3fac3bd: OK
    Header SHA1 digest: OK (07ae83890795d12adc57c39d32bc7166ed4727a6)
    V4 RSA/SHA1 Signature, key ID c3fac3bd: OK
    MD5 digest: OK (378df6a644641074b949460c22bf941f)
</code>

As you can see the key ID should be the same as the number in the pub part of the gpg key, and are the same as the last 8 digits in the full key ID.

===== check an rpm signed with the old SHA1 key =====
Now you migt think, "hold on, the last comment says: //**RSA/SHA1 Signature**// and the installed gpg key is now SHA512."

But if we test before installing: \\
''%%rpm -K filename.rpm%%''

It says OK:
<code>
filename.rpm: digests OK
</code>


<note warning>Ah thats a shame: Error: **GPG check FAILED** </note>

===== Bronnen =====

https://wiki.cdot.senecacollege.ca/wiki/Signing_and_Creating_a_Repository_for_RPM_Packages

https://superuser.com/questions/1009623/gpg-tools-location-of-private-keys

https://www.redhat.com/sysadmin/rpm-gpg-verify-packages

https://github.com/rpm-software-management/rpm/issues/1977

https://unix.stackexchange.com/questions/537795/compare-key-id-of-rpm-package-with-key-fingerprint-of-rpm-gpg-key

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/content_management_guide/importing_custom_content