Bug 1066494

Summary: rpm doesn't understand SHA224 signature, but is possible to add sha224 signature
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED CURRENTRELEASE QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: emaldona, jkastner, ksrot, mvadkert, pknirsch, pmatilai, sgrubb, syeghiay
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rpm-4.11.1-15.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 608599 Environment:
Last Closed: 2014-06-13 12:47:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 608599, 608611    
Bug Blocks: 582655    

Description Patrik Kis 2014-02-18 14:25:28 UTC 
The problem below appeared on RHEL-7.


# rpm -q rpm
rpm-4.11.1-13.el7.x86_64
# rpm -v --checksig redhat-lsb-4.1-24.el7.x86_64.rpm 
redhat-lsb-4.1-24.el7.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID f21541eb: NOKEY
    Header SHA1 digest: OK (ec9d4d8d194174941bd6283ead69e7f8e4542a0a)
    V3 RSA/SHA256 Signature, key ID f21541eb: NOKEY
    MD5 digest: OK (d8d27470af628e544e0968d1c2a6a8d3)
# rpm --addsign redhat-lsb-4.1-24.el7.x86_64.rpm 
Enter pass phrase: 
Pass phrase is good.
redhat-lsb-4.1-24.el7.x86_64.rpm:

You need a passphrase to unlock the secret key for
user: "Joe Tester (with stupid passphrase) <joe>"
1024-bit DSA key, ID 6720FCDD, created 2014-02-17


You need a passphrase to unlock the secret key for
user: "Joe Tester (with stupid passphrase) <joe>"
1024-bit DSA key, ID 6720FCDD, created 2014-02-17

# rpm -v --checksig redhat-lsb-4.1-24.el7.x86_64.rpm 
redhat-lsb-4.1-24.el7.x86_64.rpm:
    Verify signature: BAD PARAMETERS (267 0x1240830 72 (nil) 0x1243a20)
    Header SHA1 digest: OK (ec9d4d8d194174941bd6283ead69e7f8e4542a0a)
    MD5 digest: OK (d8d27470af628e544e0968d1c2a6a8d3)
    Verify signature: BAD PARAMETERS (1005 0x1240830 72 (nil) 0x1243a20)


+++ This bug was initially created as a clone of Bug #608599 +++

Description of problem:
rpm doesn't understand sha224, but is possible sign it with sha224 algorithm.

Version-Release number of selected component (if applicable):
rpm-4.8.0-9.el6

How reproducible:
always

Steps to Reproduce:
1. modify ".gnupg/gpg.conf" to have as first default value H11 (SHA224) in 'personal-digest-preferences' and 'default-preference-list' variables, or in "~/.rpmmacros" change %__gpg_sign_cmd to %{__gpg} --digest-algo sha224 --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
2. run "rpm -addsign some.rpm"
3. run "rpm -v --checksig some.rpm"
  
Actual results:
rpm -v --checksig mod_gnutls-0.5.6-1.md5.x86_64.rpm
mod_gnutls-0.5.6-1.md5.x86_64.rpm:
    Header V3 RSA/Unknown hash algorithm Signature, key ID c842f47e: BAD
    Header SHA1 digest: OK (2a30e68848f8aa15028e160164ce309c26b6f735)
    V3 RSA/MD5 Signature, key ID 40e6c3a4: OK
    V3 RSA/Unknown hash algorithm Signature, key ID c842f47e: BAD
    MD5 digest: OK (7b86a7c836b21679133b77ff7cdce95b)


Expected results:
rpm -v --checksig mod_gnutls-0.5.6-1.md5.x86_64.rpm
mod_gnutls-0.5.6-1.md5.x86_64.rpm:
    Header V3 RSA/SHA224 Signature, key ID c842f47e: OK
    Header SHA1 digest: OK (2a30e68848f8aa15028e160164ce309c26b6f735)
    V3 RSA/MD5 Signature, key ID 40e6c3a4: OK
    V3 RSA/SHA224 Signature, key ID c842f47e: OK
    MD5 digest: OK (7b86a7c836b21679133b77ff7cdce95b)
Comment 2 Panu Matilainen 2014-02-18 16:35:29 UTC 
Heh. It looks like a regression from the outset but is more twisted than that. In bug 608599 rpm permitted signing with a digest which it didn't support (because NSS did not support SHA-224) but now it is supported, only that support is buggy in the path that rpm -Kv signature verification hits:

http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=85b62554d2632d06f975f90697c4c11c3f180931

Dunno whether I should laugh or cry, but devel_ack+ anyway :)
Comment 4 Panu Matilainen 2014-02-19 08:06:07 UTC 
Fixed in rpm-4.11.1-15.el7, FWIW (this isn't exactly a critical bug really)
Comment 6 Patrik Kis 2014-02-28 10:04:29 UTC 
Verified with: /CoreOS/rpm/Regression/bz608599-rpm-doesnt-accept-signatures-it-cannot-use

OLD: rpm-4.11.1-14.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'gpg --batch --gen-key batch' (Expected 0, got 0)
:: [   PASS   ] :: Running 'gpg --armor --export '<joe>' > joepub.ascii' (Expected 0, got 0)
:: [   PASS   ] :: Running 'rpm --import joepub.ascii' (Expected 0, got 0)
:: [   PASS   ] :: Running 'wget http://download.lab.bos.redhat.com/qa/rhts/lookaside/redhat-lsb-3.1-12.3.EL.i386.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Running 'rpm -v --checksig redhat-lsb-3.1-12.3.EL.i386.rpm &>checksig.log' (Expected 1, got 1)
:: [   PASS   ] :: File 'checksig.log' should contain 'V3 DSA/SHA1 Signature' 
:: [   PASS   ] :: Running './rpm_addsign.exp redhat-lsb-3.1-12.3.EL.i386.rpm abc' (Expected 0, got 0)
:: [   PASS   ] :: Running 'rpm -v --checksig redhat-lsb-3.1-12.3.EL.i386.rpm &>checksig.log' (Expected 1, got 1)
:: [   FAIL   ] :: File 'checksig.log' should contain 'V4 DSA/SHA224 Signature' 
:: [   FAIL   ] :: File 'checksig.log' should not contain 'BAD PARAMETERS' 
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 8 good, 2 bad
:: [   FAIL   ] :: RESULT: Test


NEW: rpm-4.11.1-15.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'gpg --batch --gen-key batch' (Expected 0, got 0)
:: [   PASS   ] :: Running 'gpg --armor --export '<joe>' > joepub.ascii' (Expected 0, got 0)
:: [   PASS   ] :: Running 'rpm --import joepub.ascii' (Expected 0, got 0)
:: [   PASS   ] :: Running 'wget http://download.lab.bos.redhat.com/qa/rhts/lookaside/redhat-lsb-3.1-12.3.EL.i386.rpm' (Expected 0, got 0)
:: [   PASS   ] :: Running 'rpm -v --checksig redhat-lsb-3.1-12.3.EL.i386.rpm &>checksig.log' (Expected 1, got 1)
:: [   PASS   ] :: File 'checksig.log' should contain 'V3 DSA/SHA1 Signature' 
:: [   PASS   ] :: Running './rpm_addsign.exp redhat-lsb-3.1-12.3.EL.i386.rpm abc' (Expected 0, got 0)
:: [   PASS   ] :: Running 'rpm -v --checksig redhat-lsb-3.1-12.3.EL.i386.rpm &>checksig.log' (Expected 1, got 1)
:: [   PASS   ] :: File 'checksig.log' should contain 'V4 DSA/SHA224 Signature' 
:: [   PASS   ] :: File 'checksig.log' should not contain 'BAD PARAMETERS' 
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: Test
Comment 7 Ludek Smid 2014-06-13 12:47:27 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.