rpm: `does not verify: no digest`

[balupton]

Apparently Fedora 43 has moved to a new digest format, and anything with the old will fail with:

# sudo dnf install https://github.com/greymd/teip/releases/download/v2.3.2/teip-2.3.2.x86_64-unknown-linux-musl.rpm
Updating and loading repositories:
Repositories loaded.
 https://github.com/greymd/teip/releases/download/v2.3.2/teip-2.3.2.x86_64-unknown-linux-musl.rpm         100% |   4.3 MiB/s |   1.0 MiB |  00m00s
Package                                          Arch         Version                                          Repository                     Size
Installing:
 teip                                            x86_64       2.3.2-1707780956                                 @commandline                3.6 MiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 1 MiB. Need to download 0 B.
After this operation, 4 MiB extra will be used (install 4 MiB, remove 0 B).
Is this ok [y/N]: y
Running transaction
Transaction failed: Rpm transaction failed.
Warning: skipped OpenPGP checks for 1 package from repository: @commandline
  - package teip-2.3.2-1707780956.x86_64 does not verify: no digest

Note that --no-gpgchecks has no effect:

# sudo dnf --no-gpgchecks install https://github.com/greymd/teip/releases/download/v2.3.2/teip-2.3.2.x86_64-unknown-linux-musl.rpm
Updating and loading repositories:
Repositories loaded.
 https://github.com/greymd/teip/releases/download/v2.3.2/teip-2.3.2.x86_64-unknown-linux-musl.rpm         100% |   1.8 MiB/s |   1.0 MiB |  00m01s
Package                                          Arch         Version                                          Repository                     Size
Installing:
 teip                                            x86_64       2.3.2-1707780956                                 @commandline                3.6 MiB

Transaction Summary:
 Installing:         1 package

Total size of inbound packages is 1 MiB. Need to download 0 B.
After this operation, 4 MiB extra will be used (install 4 MiB, remove 0 B).
Is this ok [y/N]: y
Running transaction
Transaction failed: Rpm transaction failed.
Warning: skipped OpenPGP checks for 1 package from repository: @commandline
  - package teip-2.3.2-1707780956.x86_64 does not verify: no digest

Something like this patchset apparently does the trick:

• https://github.com/NVIDIA/nvidia-container-toolkit/pull/1411/changes
• https://discussion.fedoraproject.org/t/package-does-not-verify-no-digest/149280
• https://discussion.fedoraproject.org/t/package-does-not-verify-no-digest/149280/4 - apparently building with rpm >= 4.14 fixes it
  • https://github.com/purkkis/ublue-images/pull/1/changes
• https://fedoraproject.org/wiki/Changes/RPM-6.0#Upgrade/compatibility_impact
• New RPM v6 package format: Crypto modernization: Obsolete crypto (MD5 and SHA1) dropped https://rpm.org/releases/6.0.0#compatibility-notes

Doing a quick look at teip, seems maybe the rpm's are being built by:

• https://github.com/greymd/teip/blob/main/.github/dockerfiles/Dockerfile.x86_64
• which is FROM centos:7 which is EOL https://hub.docker.com/_/centos All tags of this image are EOL (June 30, 2024 / docker-library/official-images#17094, although the last meaningful update was November 16, 2020, long before the EOL date: docker-library/official-images#9102; see also https://www.centos.org/centos-linux-eol/ and docker-library/docs#2205). Please adjust your usage accordingly.

Seems moving from centos to almalinux would be the way to go:

• https://github.com/naveenrajm7/rpmbuild/blob/master/Dockerfile
• https://almalinux.org AlmaLinux OS is an open-source, community-driven Linux operating system that fills the gap left by the discontinuation of the CentOS Linux stable release. AlmaLinux OS is an Enterprise Linux distro, binary compatible with RHEL®, and guided and built by the community.