Bug 1714175

Summary: Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
Product: Red Hat Enterprise Linux 8 Reporter: Chen Shi <cheshi>
Component: unboundAssignee: aegorenk
Status: CLOSED ERRATA QA Contact: Petr Dancak <pdancak>
Severity: low Docs Contact:
Priority: low    
Version: 8.0CC: cheshi, pdancak, pemensik, psklenar, vkuznets
Target Milestone: rcKeywords: EasyFix, Patch, TestCaseNotNeeded, Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:50:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chen Shi 2019-05-27 10:05:08 UTC 
Description of problem:
The key file gets regenerated, something may be wrong with the packaging.

[root@iZ2zegshls719e570862inZ ~]# rpm -Vf /var/lib/unbound/root.key
S.5....T.  c /var/lib/unbound/root.key
[root@iZ2zegshls719e570862inZ ~]# rpm -qf /var/lib/unbound/root.key
unbound-libs-1.7.3-8.el8.x86_64
[root@iZ2zegshls719e570862inZ ~]# stat /var/lib/unbound/root.key
  File: /var/lib/unbound/root.key
  Size: 1251            Blocks: 8          IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 787827      Links: 1
Access: (0644/-rw-r--r--)  Uid: (  997/ unbound)   Gid: (  994/ unbound)
Context: system_u:object_r:named_cache_t:s0
Access: 2019-04-24 14:37:17.615630511 +0800
Modify: 2019-04-22 00:00:29.001332055 +0800
Change: 2019-04-22 00:00:29.003332127 +0800
 Birth: -
[root@iZ2zegshls719e570862inZ ~]# cat /var/lib/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1555862429 ;;Mon Apr 22 00:00:29 2019
;;last_success: 1555862429 ;;Mon Apr 22 00:00:29 2019
;;next_probe_time: 1555904656 ;;Mon Apr 22 11:44:16 2019
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.       98799   IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=3 [ MISSING ] ;;count=0 ;;lastchange=1555689629 ;;Sat Apr 20 00:00:29 2019
.       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1555689629 ;;Sat Apr 20 00:00:29 2019

Version-Release number of selected component (if applicable):
unbound-libs-1.7.3-8.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Create an RHEL8.0 VM
2. sudo rpm -Vf /var/lib/unbound/root.key

Actual result:
The key file gets regenerated (file /var/lib/unbound/root.key has been modified).

Expected result:
No key file regenerated and `rpm -V` can be passed.

Additional info:
1. This issue exists in the VM which is installed by iso+ks (as same as Alibaba Cloud). 
2. This issue doesn't exist in the VM which is created from guest image (as same as AWS).
Comment 1 Vitaly Kuznetsov 2019-05-27 12:54:29 UTC 
My $0.02:

the fact that /var/lib/unbound/root.key changes is OK, however, we may want to let RPM know it's OK by doing something like

%verify(not md5 size mtime) /var/lib/unbound/root.key

in the spec.
Comment 2 Petr Menšík 2020-03-18 14:02:23 UTC 
Sure, modification of root.key is maintained by unbound-achor.service and is very intentional.

But it should not show in rpm -V unbound-libs as something wrong, needs just md5 modification.
Comment 3 Petr Menšík 2020-06-01 08:19:18 UTC 
Giving up this bug to new maintainers.
Comment 12 errata-xmlrpc 2021-05-18 15:50:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: unbound security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1853