I'm not signing my RPMs, but they have signatures anyway. "Header V4 RSA/SHA1 signature: BAD"

Question

I am building an RPM using sbt-native-packager on my Mac which can't be installed on RHEL 5 machines because it has a V4 signature. The result of rpm -v --checksig on my Mac:

Header V4 RSA/SHA1 signature: OK, key ID f769fd38
Header SHA1 digest: OK (2ee9b411052b2aeadcb0efa5401f246af8ca6e68)
MD5 digest: OK (b78e1256caba2959428b1e5544d562a6)

And the result of rpm -v --checksig on the RHEL 5 machine:

Header V4 RSA/SHA1 signature: BAD, key ID f769fd38
Header SHA1 digest: OK (2ee9b411052b2aeadcb0efa5401f246af8ca6e68)
MD5 digest: OK (b78e1256caba2959428b1e5544d562a6)

I saw this answer which implied that it had to do with GPG signatures, but that doesn't add up.

The sbt-native-packager RPM plugin doesn't do signing according to its developers, as can be evidenced by the rpmbuild command it emits:

rpmbuild -bb --target noarch-PayPal-Linux --buildroot /Users/2rs2ts/src/my-app/my-app/target/rpm/buildroot --define _topdir /Users/2rs2ts/src/my-app/my-app/target/rpm --define _tmppath /var/folders/gp/l9gt6r791p1bdcgtf2b2dppw392tbp/T/sbt_8f0f0597 myapp.spec

Plus, I don't have gpg installed on my Mac, so the fix in the linked answer doesn't really seem to apply to me. I realize that rpm usually comes with an installation of gpg so maybe it's using that to make the signatures, but I have no idea what key it's using or how to make it force a V3 signature or stop signing entirely. I'm not sure if that last statement was even sensible, as I have very limited experience working with rpm.

Nonetheless I did try to at least modify ~/.rpmmacros as that guide suggested but it was to no avail. I have no leads. Why do my RPMs have signatures if I didn't sign them, and how can I prevent those signatures from being V4?

Edit per request, here is the output from sbt (I believe the "error" lines are just an implementation quirk and not actual errors):

[debug] Executing rpmbuild with: rpmbuild -bb --target noarch-PayPal-Linux --buildroot /Users/2rs2ts/src/my-app/my-app/target/rpm/buildroot --define _topdir /Users/2rs2ts/src/my-app/my-app/target/rpm --define _tmppath /var/folders/gp/l9gt6r791p1bdcgtf2b2dppw392tbp/T/sbt_8f0f0597 myapp.spec
[info] Building target platforms: noarch-PayPal-Linux
[info] Executing(%install): /bin/sh -e /var/folders/gp/l9gt6r791p1bdcgtf2b2dppw392tbp/T/sbt_8f0f0597/rpm-tmp.67386
[error] + umask 022
[error] + cd /Users/2rs2ts/src/my-app/my-app/target/rpm/BUILD
[error] + /bin/rm -rf /Users/2rs2ts/src/my-app/my-app/target/rpm/buildroot
[error] + /bin/mkdir -p /Users/2rs2ts/src/my-app/my-app/target/rpm/buildroot
[error] + '[' -e /Users/2rs2ts/src/my-app/my-app/target/rpm/buildroot ']'
[error] + mv /Users/2rs2ts/src/my-app/my-app/target/rpm/tmp-buildroot/etc /Users/2rs2ts/src/my-app/my-app/target/rpm/tmp-buildroot/var /Users/2rs2ts/src/my-app/my-app/target/rpm/tmp-buildroot/x /Users/2rs2ts/src/my-app/my-app/target/rpm/buildroot
[error] + exit 0
[info] Processing files: myapp-VersionNotSet-ReleaseNotSet.noarch
[info] Provides: config(myapp) = 0:VersionNotSet-ReleaseNotSet
[info] Requires(interp): /bin/sh /bin/sh /bin/sh /bin/sh
[info] Requires(pre): /bin/sh
[info] Requires(post): /bin/sh
[info] Requires(preun): /bin/sh
[info] Requires(postun): /bin/sh
[info] Checking for unpackaged file(s): /usr/local/Cellar/rpm/5.4.15/lib/rpm/check-files /Users/2rs2ts/src/my-app/my-app/target/rpm/buildroot
[info] Wrote: /Users/2rs2ts/src/my-app/my-app/target/rpm/RPMS/noarch/myapp-VersionNotSet-ReleaseNotSet.noarch.rpm

Answer 1

I can hazard a guess: the issue is RSA being broken in several ways in RHEL5 rpm. The easiest fix is to try signing with DSA rather than RSA.

Does DSA "work" on both MAC and RHEL5?