Bug 36057

Summary:	With rpm 4.0.2, only root can '--checksig' some RH errata rpms succesfully
Product:	[Retired] Red Hat Linux	Reporter:	Petri Piira <petri.piira>
Component:	rpm	Assignee:	Jeff Johnson <jbj>
Status:	CLOSED WORKSFORME	QA Contact:	David Lawrence <dkl>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.2
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2001-04-16 15:48:31 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Petri Piira 2001-04-16 15:22:20 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-3 i686)


Several RH 6.2 errata rpm packages can not be succesfully signature checked
by an ordinary user, but root can do it. This behaviour started after
upgrading to rpm 4.0.2 from rpm 3.0.x. Several packeges show this symptom,
including xpdf, openssl, glibc, bind, ghostscript, imap-devel, netscape,
openldap, pine, python, db3 and rpm

See below for an example, with the latest pine package.

This same bug could affect also installing third party rpms?


Reproducible: Always
Steps to Reproduce:
1. Verify that you have rpm 4.0.2 installed
2.run rpm --checksig --nogpg as root, for one of the failing packages, e.g.
  for the pine-4.33-6.6x.i386.rpm
3. run the same command as normal user for the same package

	

Actual Results:  rpm claims that the md5 signature is bad, if it was run by
normal user. Even if
the md5sum is identical, and the signature is recognized to be good when
rpm is run by root

Expected Results:  It should be possible to verify signatures of RH errata
even if not logged in as root

$ rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm 
/tmp/pine-4.33-6.6x.i386.rpm: MD5 NOT OK
$ md5sum /tmp/pine-4.33-6.6x.i386.rpm 
56c85a7f1044e43030f5ee8bd0108515  /tmp/pine-4.33-6.6x.i386.rpm
# rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm 
/tmp/pine-4.33-6.6x.i386.rpm: md5 OK
# md5sum /tmp/pine-4.33-6.6x.i386.rpm 
56c85a7f1044e43030f5ee8bd0108515  /tmp/pine-4.33-6.6x.i386.rpm

Comment 1 Petri Piira 2001-04-16 15:48:27 UTC

This problem could be caused by the owner and group of the files inside the rpm
(cpio) archive -
I checked one of the 'good' packages, it had uid / gid 0, but one of the failing
packages had a nonzero uid/gid for all files?

Comment 2 Jeff Johnson 2001-04-16 16:07:26 UTC

This works for me:
  bash$ rpm --checksig --nogpg pine-4.33-6.6x.i386.rpm  
  pine-4.33-6.6x.i386.rpm: md5 OK

First the internal uid/gid is not the problem.

Second, the md5sum checked by rpm is not at all the
same as that generated by md5sum(1). The rpm md5sum
applies to the header+payload, and the failure of the
rpm md5sum indicates that the packages are corrupt.

You can verify that the package(s) are corrupt independently
of rpm by comparing the md5sum in the errata notice
with the md5sum you are generating using md5sum(1).

Comment 3 Petri Piira 2001-04-17 19:01:37 UTC


So, why the package is "not corrupt", when checked by root user, but the same
physical
file is "corrupt" when checked by an ordinary user?

If the exact same file is reported to be corrupt and not corrupt by the same rpm
application,
I'd say there us a bug in rpm - the file either is corrupt, or is not, it can't
oscillate
between those states depending on who runs the rpm --checksig.