Bug 463482

Summary: rpm signing cannot be checked on openoffice.org upstream packages
Product: [Fedora] Fedora Reporter: Aurelien Bompard <gauret>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: ffesti, herrold, jnovy, pmatilai, pnasrat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-07 09:29:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aurelien Bompard 2008-09-23 17:31:26 UTC
Description of problem:
I'm trying to sign the RPM packages from the OpenOffice.org project, as downloaded from their website (in the OOo_2.4.1_LinuxIntel_install_en-US.tar.gz archive).
But after trying to "rpmsign --resign" a package, the signature can't be checked :

Before:
$ rpm -K openoffice.org-base-2.4.1-9310.i586.rpm                                                                                
openoffice.org-base-2.4.1-9310.i586.rpm: md5 OK

Signing:
$ rpmsign --resign openoffice.org-base-2.4.1-9310.i586.rpm
Enter pass phrase:
Pass phrase is good.
openoffice.org-base-2.4.1-9310.i586.rpm:
gpg: WARNING: standard input reopened
gpg: WARNING: standard input reopened

After:
$ rpm -K openoffice.org-base-2.4.1-9310.i586.rpm
openoffice.org-base-2.4.1-9310.i586.rpm: (SHA1) DSA md5 gpg NOT OK
$ rpm -Kvvv openoffice.org-base-2.4.1-9310.i586.rpm
D: Expected size:      3292793 = lead(96)+sigs(276)+pad(4)+data(3292417)
D:   Actual size:      3292793
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Pubkeys rdonly mode=0x0
D:  read h#   11185 Header sanity check: OK
D: ========== DSA pubkey id 21a62396 1b4259b3 (h#11185)
openoffice.org-base-2.4.1-9310.i586.rpm:
    Header V4 DSA signature: NOKEY, key ID 1b4259b3
    MD5 digest: OK (7d91a042b4140b6b813fc25d65ed4e0e)
    V4 DSA signature: OK, key ID 1b4259b3
D: closed   db index       /var/lib/rpm/Pubkeys
D: closed   db index       /var/lib/rpm/Packages
D: May free Score board((nil))

It says NOKEY, but the key is in the DB:
$ rpm -qa | grep 1b4259b3
gpg-pubkey-1b4259b3-41ee395e

And signing works fine with other packages.

I suspect it's an upstream RPM problem, but since there is no upstream bugzilla for RPM yet...

Version-Release number of selected component (if applicable):
rpm-4.4.2.3-2.fc9.i386
OOo_2.4.1_LinuxIntel_install_en-US.tar.gz

How reproducible:
always

Comment 1 Panu Matilainen 2008-09-24 08:40:14 UTC
This is the basic problem:
$ rpm -qp --qf "%{RPMVERSION}\n" openoffice.org-core01-2.4.1-9310.i586.rpm
3.0.6

Rpm >= 4.x cannot be used to (re)sign rpm v3 packages. That it tries to do so and actually corrupts the package while at it is of course a bug, and an ages old one at that. This has been fixed in rpm.org HEAD and 4.4.x branch (post 4.4.2.3) already in the sense that they refuse to touch the package and exit with an error code, only an error message is missing.

Comment 2 Fedora Update System 2008-12-18 00:37:09 UTC
rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update rpm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11390

Comment 3 Fedora Update System 2009-01-07 09:28:36 UTC
rpm-4.4.2.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.