[wouter@rhel rpm-gpg]$ sudo rpm --import RPM-GPG-KEY-BEID-RELEASE
[wouter@rhel rpm-gpg]$ sudo rpm --import RPM-GPG-KEY-BEID-RELEASE-2025
fout: RPM-GPG-KEY-BEID-RELEASE-2025: key 1 import failed.
[wouter@rhel rpm-gpg]$ sudo rpm --import RPM-GPG-KEY-BEID-CONTINUOUS
The only differences are that -2025 is recent and ECDSA NIST P-384, the other two are over 10 years old and need to be rotated, and are RSA.
Does RPM not support ECDSA for code signatures? Or am I doing something wrong?
@wouter Is RPM built against rust-rpm-sequoia or does it use the built-in parser for OpenPGP?
@wouter RHEL 9 still builds it using the built-in parser, which is very brittle and old. Does it work on RHEL 10?
Is there a workaround for this that you're aware of? Other than "generate RSA keys instead", which technically we could do but which I'd like to avoid if at all possible.
- replies
- 0
- announces
- 0
- likes
- 0
@wouter AFAIK, SuSE has not yet built RPM against Sequoia, so I'd be surprised if it worked in 15.6.
None of the keys in Fedora's distribution-gpg-keys package seem to use ECDSA. That being said, I can't find anything that would indicate that RPM doesn't support ECDSA.
I do expect support for keys with hybrid PQC support to show up soon, so maybe go with RSA again now, and switch to a hybrid PQC key for the next rotation?
I'm fine with dropping RHEL9 and OpenSUSE <15 from our supported distributions 🤷