Bug 2183489

Summary: can't rpm erase, package with invalid hash lodged inside rpmdb
Product: [Fedora] Fedora Reporter: Ganapathi Kamath <hgkamath>
Component: rpmAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: igor.raits, mdomonko, packaging-team-maint, pmatilai, vmukhame
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-31 11:06:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ganapathi Kamath 2023-03-31 10:58:14 UTC 
upstream bug:  
can't rpm erase, package with invalid hash lodged inside rpmdb #2460  
https://github.com/rpm-software-management/rpm/issues/2460  


Description of problem:
rpm query commands on invocation show annoying/distracting hash/digest errors.

When using rpm I think there are two non-easily identifiable packages are messed up.
The ```rpm -e``` erase option does not have a ```--nodigest``` argument unlike the install/upgrade/verify options. 
The below logs show that unnamed packages through up hashdigest errors.
From the key signature ```a109b1ec``` I deduced the packages to be livna-release and libdvdcss.

I recently did an upgrade from fedora-37 to fedora-38, 
For the most part, other than a few dependency hiccups with some packages like ffmpeg-libs, libplacebo, libchromapaint, which were resolved, the update went smoothly. Fedora-38 boots and works with no issues.  

So my question is, how can I fix this?
  Attempting to force install livna-release is also not possible
  I have tried moving out the gpgkeys manually from /etc/pki and /etc/yum.repos.d, no effect. 

Logs
```
[root@sirius livna]# rpm -qa > /dev/null # just to see the stderr
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK

[root@sirius livna]#  rpm -e livna-release
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK

[root@sirius livna]#  rpm -e libdvdcss
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK

[root@sirius livna]# rpm -e livna-release --nodeps --justdb
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK


[root@sirius livna]# rpm -i ./livna-release-1-1.noarch.rpm
error: ./livna-release-1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
error: ./livna-release-1-1.noarch.rpm cannot be installed

[root@sirius livna]# rpm -i ./livna-release-1-1.noarch.rpm --force
error: ./livna-release-1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
error: ./livna-release-1-1.noarch.rpm cannot be installed

[root@sirius livna]# rpm -qa | grep -Ei "^rpm-4|rpm-l"
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
rpm-libs-4.18.1-1.fc38.x86_64
rpm-4.18.1-1.fc38.x86_64

[root@sirius livna]# uname -a
Linux sirius 6.2.8-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:29:30 UTC 2023 x86_64 GNU/Linux

[root@sirius livna]# cat /etc/os-release | grep -E "^NAME=|^VERSION="
NAME="Fedora Linux"
VERSION="38 (Workstation Edition Prerelease)"

```

Version-Release number of selected component (if applicable):
rpm-4.18.1-1

How reproducible:
Its not exactly redo-able on an already installed/upgraded machine. Seems like a one time thing if you get it into this state. 

Steps to Reproduce:
See logs given above

Actual results:
See logs given above

Expected results:
no error message should be visible

Additional info:
none at the moment
verbose argument -vvv doesn't show anything interesting, other than it reading other GPG keys.
Comment 1 Panu Matilainen 2023-03-31 11:06:44 UTC 
Update to latest rpm-sequoia and crypto-policies. More details in bug 2170878.

*** This bug has been marked as a duplicate of bug 2170878 ***
Comment 2 Ganapathi Kamath 2023-03-31 12:17:20 UTC 
Thanks Panu


LOGS
[root@sirius livna]# rpm -qa >/dev/null
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
[root@sirius livna]# rpm -q --nosignature --querybynumber 17
livna-release-1-1.noarch
[root@sirius livna]# rpm -q --nosignature --querybynumber 19
libdvdcss-1.4.0-1.fc24.remi.x86_64
[root@sirius livna]# rpm -e --nosignature libdvdcss-1.4.0-1.fc24.remi.x86_64 
[root@sirius livna]# rpm -e --nosignature livna-release-1-1.noarch
[root@sirius livna]# 

[root@sirius livna]# rpm -qa >/dev/null
[root@sirius livna]# rpm -q crypto-policies rpm-sequoia
crypto-policies-20230301-1.gita12f7b2.fc38.noarch
rpm-sequoia-1.3.0-1.fc38.x86_64
[root@sirius livna]# update-crypto-policies --show 
DEFAULT


MISC
Collecting some links here found while reading 
20230217 Insecure installed RPMs (like Google Chrome) prevent system updates in F38, can't be removed 
https://bugzilla.redhat.com/show_bug.cgi?id=2170878 : 

- 20230230 Kamil Páral Third-party RPMs with an invalid signing key might cause errors during package operations  
  https://discussion.fedoraproject.org/t/third-party-rpms-with-an-invalid-signing-key-might-cause-errors-during-package-operations/80077
- 20230227 Kamil Páral Talk: Popular third-party RPMs fail to install/update/remove due to security policies verification 
  https://discussion.fedoraproject.org/t/talk-popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70379/1
- 20230208 Kamil Páral Popular third-party RPMs fail to install/update/remove due to security policies verification
  https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498
- 20230330 Rebuild to pull in cryptographic fixes for RPM 
  https://bugzilla.redhat.com/show_bug.cgi?id=2183038 
- 20230131 Kevin/Nirik error: rpmdbNextIterator: skipping in Fedora 38+
  https://www.scrye.com/wordpress/nirik/2023/01/31/error-rpmdbnextiterator-skipping-in-fedora-38/ 


I gather there are two options
a) either add SHA1 to the crypto policy
b) rpm-erase the troublesome apps, and wait for the repositories to update to stronger GPG keys