Bug 494049
Summary: | Several F11-beta packages fail signature checking | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Göran Uddeborg <goeran> | |
Component: | rpm | Assignee: | Panu Matilainen <pmatilai> | |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | low | |||
Version: | rawhide | CC: | djuran, eddie, ffesti, jeremyhu, jnovy, mitr, n3npq, paul, pmatilai, tmraz | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 502791 (view as bug list) | Environment: | ||
Last Closed: | 2009-04-16 09:53:14 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 446452 |
Description
Göran Uddeborg
2009-04-03 20:57:48 UTC
Thanks for your report. Confirmed (with RPM-GPG-KEY-fedora-test-11-primary). libuser-python header signature verification fails, full signature verification suceeds. Verification of both libuser signatures suceeds. sha256sums of packages: dc8c98a400ca0bb685a8c13fb31ac960dd65a5c7e18f42c1a3f96792b30be3b5 libuser-python-0.56.9-3.x86_64.rpm 3d0561176e8e6eec03de6a0857def3e602788b1194db192e4f2e9c9641c64841 libuser-0.56.9-3.x86_64.rpm I didn't try to debug the problem - I'll only note that all four signature packets seem to be correctly parsed by gpg. (Reproduced on rawhide rpm-4.7.0-0.beta1.9.fc11.x86_64.) Yup.. and not not limited to libuser-python, there's a bunch of packages failing the signature check, some on header, others on header+payload signatures. This goes back all the way to switching from beecrypt to NSS in F-9 (as a Fedora-specific patch at that time). Rpm 4.4.x with beecrypt the signatures verify as OK, after switching to NSS it starts failing. Looks like some funky corner case is being missed as the vast majority of the signatures with the same key are verifying ok. This is certainly F11 blocker material... Hint: openpgp trims leading zeroes in its MPI representation. One has to pad out the leading zeroes again again again. Been there, done that, multiple times. Just a savvy guess. error: libexif-0.6.16-3.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2 error: obex-data-server-1:0.4.3-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2 error: elfutils-libs-0.140-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2 error: c2050-0.3b-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2 error: gtkhtml2-2.11.1-5.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2 You can confirm the OpenPGP MPI padding issue mentioned in comment #6 if you attempt signature verification with debugging enabled. All the relevant MPI parameters will be printed when parsed from OpenPGP packets. The last argument to pgpPrtPkts() needs to non-zero. Rebuild rpm with hardwired 1 if necessary. Otherwise there's hardly a reason to report Yet More Failures, all F11 packages will have to be vetted at this point with, say, rpm -Kvv *.rpm which is likely easier than creating bugzilla entries ;-) Just trying to save your time & effort, feel free to report failures if you wish. If the rawhide development wishes that people continue their testing and giving feedback to the developers, I think this should be fixed a.s.a.p. So, If I am not supposed to be creating bugzilla entries for this, I think it will only last longer before this issue is solved. Hence my reports here. In this case listing further failing packages doesn't add any useful information. This has already been marked F11 blocker and will be looked into when back to work from Easter holidays. Fixed in rawhide by rpm 4.7.0 final and freeze override requested for F11: https://fedorahosted.org/rel-eng/ticket/1480 This issue also needs to be fixed in earlier rpm releases. For instance, running reposync of F-11 updates on an F-10 box (or CentOS 5 with Seth's python-hashlib installed) reports a header signature failure in eclipse-nls-da-3.4.0.v20090423085802-1.fc11.noarch.rpm (see https://fedorahosted.org/rel-eng/ticket/1881) For F10 fix, see https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5214 Panu, is this already being addressed for EL-5, or should I clone the ticket for EL-5? Thanks for the F-10 fix, WORKSFORME. Feel free to clone for EL-5, it qualifies as a regression (caused by beecrypt -> NSS switch) |