Header V3 RSA/SHA1 Signature, key ID d651ff2e: BAD

raiponce · September 11, 2022, 2:00pm

Hey, i have the following error when i try to install a package from rpmfusion :

Running transaction check
error: rpmdbNextIterator: skipping h#    1777 
Header V3 RSA/SHA1 Signature, key ID d651ff2e: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK

Thanks in advance

augenauf · September 13, 2022, 7:17am

https://rpmfusion.org/ReportingBugs

sergiomb · February 16, 2023, 12:08pm

these are rpmfusion packages , you may remove it with no check signature option

rpm -e amule --nosignature

sergiomb · February 18, 2023, 11:03pm

ok I found the solution

after read these two articles

so seems It’s the crypto-policy disallowing SHA-1 and just running sudo update-crypto-policies --set DEFAULT:SHA1 or sudo update-crypto-policies --set LEGACY fixes the problem.

now, how we query the rpm key
rpm -qa --qf "%{name}-%{version}-%{release}.%{arch} %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n"

if we grep by key id or by SHA1 we will find the packages with weak sign

rpm -qa --qf "%{name}-%{version}-%{release}.%{arch} %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n" | grep SHA1

More info:

If you see lines like these:

error: rpmdbNextIterator: skipping h# 2525

then some of your packages are affected. You can use the number you see at the end of each such error (in this case 2525) to figure out which package it is:

$ rpm -q --nosignature --querybynumber 2525
google-chrome-stable-109.0.5414.119-1.x86_64

djsteinb · September 25, 2023, 11:42pm

This update problem is still persisting with a strange error output that does not respond to the fixes above. The rpm -qa > /dev/null number shows as 3544, however, it is not readable using the
rpm -q --nosignature --querybynumber 3544.
So I am not able to determine the installed package that is causing the error.
Please help!

[root@HP ~]# rpm -qa /dev/null
error: rpmdbNextIterator: skipping h# 3544
Header V4 RSA/SHA256 Signature, key ID eb10b464: BAD
Header SHA256 digest: BAD (Expected f26082589e9cc0fb53757776b401e73522abcdda043985c0665312541f3a769a != 2719577d68032b65c42d7c32a068e4b059e02f8541ce5d1b52ad9b2bac2c082b)
Header SHA1 digest: BAD (Expected bc4c1c2acce452711916b278f592770b759f6f7b != af5120f5268e045941dd20e0faa8949fbcbeb4c0)

rpm -q --nosignature --querybynumber 3544
error: rpmdbNextIterator: skipping h# 3544
Header SHA256 digest: BAD (Expected f26082589e9cc0fb53757776b401e73522abcdda043985c0665312541f3a769a != 2719577d68032b65c42d7c32a068e4b059e02f8541ce5d1b52ad9b2bac2c082b)
Header SHA1 digest: BAD (Expected bc4c1c2acce452711916b278f592770b759f6f7b != af5120f5268e045941dd20e0faa8949fbcbeb4c0)
error: record 3544 could not be read

Topic		Replies	Views
Dnf upgrade gives BAD signature error Ask Fedora workstation	3	1187	February 12, 2023
Third-party RPMs with an invalid signing key might cause errors during package operations Common Issues f38 , rpm , security , dnf , f39	0	5660	March 28, 2023
Dnf update error, invalid OpenPGP signature Ask Fedora f38 , dnf	1	1443	April 17, 2023
Popular third-party RPMs fail to install/update/remove due to security policies verification Common Issues f38 , rpm , security , beta , dnf	1	10654	March 7, 2023
Dnf update FAILED several times Ask Fedora	21	6972	May 15, 2023

Header V3 RSA/SHA1 Signature, key ID d651ff2e: BAD

More info:

Related topics