What I need
A way to get an asc file containing the signature from an rpm file.
Why I need it
I'm running into the issue described in this Reddit thread, where Chrome installed from https://www.google.com/linuxrepositories/ can't have its signature validated because the version of rpm in CentOS 7 doesn't support validating against subkeys. One of the commenters suggested https://bugzilla.redhat.com/show_bug.cgi?id=227632 might be a related issue.
My idea for a workaround was to use gpg to manually validate the signature in the rpm file. But I need a way to extract the signature from the rpm file.
What I tried
rpm -qp --qf '%|SIGTAG_GPG?{%{SIGTAG_GPG:pgpsig}}:{(none)}|}|\n' google-chrome-stable_current_x86_64.rpm gets me the ID of the public key associated with the file, but I believe that's just metadata, not an actual signature and thus isn't a way to verify the file was actually signed by the key it reports (correct me if this is a false understanding).
Reproducing
FROM centos:7
RUN printf "[google-chrome]\nname=google-chrome\nbaseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch\nenabled=1\ngpgcheck=1\ngpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub\n" >> /etc/yum.repos.d/google-chrome.repo && \
yum -y install google-chrome-stable && \
yum clean all
#6 13.87 warning: /var/cache/yum/x86_64/7/base/packages/alsa-lib-1.1.8-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
#6 13.87 Public key for alsa-lib-1.1.8-1.el7.x86_64.rpm is not installed
#6 15.12 Public key for emacs-filesystem-24.3-23.el7_9.1.noarch.rpm is not installed
#6 26.25 warning: /var/cache/yum/x86_64/7/google-chrome/packages/google-chrome-stable-114.0.5735.198-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID a3b88b8b: NOKEY
#6 26.25 Public key for google-chrome-stable-114.0.5735.198-1.x86_64.rpm is not installed
#6 29.55 ---------------------------------------------
#6 29.55 Total 8.1 MB/s | 132 MB 00:16
#6 29.55 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#6 29.56 Importing GPG key 0xF4A80EB5:
#6 29.56 Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>"
#6 29.56 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
#6 29.56 Package : centos-release-7-9.2009.0.el7.centos.x86_64 (@CentOS)
#6 29.56 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#6 29.59 Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub
#6 30.40 Importing GPG key 0x7FAC5991:
#6 30.40 Userid : "Google, Inc. Linux Package Signing Key <[email protected]>"
#6 30.40 Fingerprint: 4cca 1eaf 950c ee4a b839 76dc a040 830f 7fac 5991
#6 30.40 From : https://dl-ssl.google.com/linux/linux_signing_key.pub
#6 30.41 Importing GPG key 0xD38B4796:
#6 30.41 Userid : "Google Inc. (Linux Packages Signing Authority) <[email protected]>"
#6 30.41 Fingerprint: eb4c 1bfd 4f04 2f6d ddcc ec91 7721 f63b d38b 4796
#6 30.41 From : https://dl-ssl.google.com/linux/linux_signing_key.pub
#6 30.41
#6 30.41
#6 30.41 Public key for google-chrome-stable-114.0.5735.198-1.x86_64.rpm is not installed
#6 30.41
#6 30.41
#6 30.41 Failing package is: google-chrome-stable-114.0.5735.198-1.x86_64
#6 30.41 GPG Keys are configured as: https://dl-ssl.google.com/linux/linux_signing_key.pub
