Bug 563891

Problem Description
-------------------

> 1. Time and date of problem:

Key verification fails at the installation of a package from the VMWare repository.

> 2. System architecture(s):

i686

> 3. Provide a clear and concise problem description as it is understood at the
> time of escalation.

PGP key from the VMWare repository is not verified correctly by RPM when installing a package.

$ rpm --import http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub
$ rpm -Kv http://packages.vmware.com/tools/esx/3.5u4/rhel4/i686/vmware-tools-7.4.7-158874.171375.el4.i686.rpm

> Observed behavior:

V3 RSA/MD5 signature: NOKEY, key ID 66fd4949
Header SHA1 digest: OK (4a53b01f1ca7eed4cb984b0407a45605a3a4f2b3)
V3 RSA/MD5 signature: NOKEY, key ID 66fd4949
MD5 digest: OK (9a303bd51496632db5969e31f79ece9f)

> Desired behavior:

Header V3 RSA/SHA1 signature: OK, key ID 66fd4949
Header SHA1 digest: OK (4a53b01f1ca7eed4cb984b0407a45605a3a4f2b3)
V3 RSA/SHA1 signature: OK, key ID 66fd4949
MD5 digest: OK (9a303bd51496632db5969e31f79ece9f)

> 4. Specific action requested of SEG:

Help in the investigation of this issue.
Determining whether this should be fixed in RHEL4.

> 5. Is a defect (bug) in the product suspected?

Yes. It seems not to be BZ#493777, the fingerprint on RHEL4 is correct as seen in 'Relevant data found'

> 6. Does a proposed patch exist? yes/no

Maybe related in FC12's `rpm -q --changelog rpm`:
* Thu May 14 2009 Panu Matilainen <pmatilai> - 4.7.0-4
[...]
- fix pgp pubkey signature tag parsing

> 7. What is the impact to the customer when they experience this problem?

"This customer has a large number of RHEL4 systems (~1300) running on VMware ESX 3.5,
which are managed by multiple Satellites.
We are trying to clean up the environments to avoid bad practices like
"up2date --nosig" in %post scripts.
Disabling package signatures is not an option in the environment we're working in."

Supporting Information
----------------------
> 1. Other actions already taken in working the problem (tech-list posting, google
> searches, fulltext search, consultation with another engineer, etc.):

Played the scenario under RHEL5 and FC12, the problem does not occur (GPG keys are validated).

> Relevant data found (if any):

$ rpm -qa | grep gpg-pubkey-66fd4949
gpg-pubkey-66fd4949-4803fe57

$ rpm -qi gpg-pubkey-66fd4949-4803fe57
Name : gpg-pubkey Relocations: (not relocatable)
Version : 66fd4949 Vendor: (none)
Release : 4803fe57 Build Date: Wed 03 Feb 2010 03:35:02 AM EST
Install Date: Wed 03 Feb 2010 03:35:02 AM EST Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(VMware, Inc. -- Linux Packaging Key -- <linux-packages>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.3.3 (beecrypt-3.0.0)

mI0ESAP+VwEEAMZylR8dOijUPNn3He3GdgM/kOXEhn3uQl+sRMNJUDm1qebi2D5bQa7GNBIl
Xm3DEMAS+ZlkiFQ4WnhUq5awEXU7MGcWCEGfums5FckV2tysSfn7HeWd9mkEnsY2CUZF54ly
KfY0f+vdFd6QdYo6b+YxGnLyiunEYHXSEo1TNj1vABEBAAG0QlZNd2FyZSwgSW5jLiAtLSBM
aW51eCBQYWNrYWdpbmcgS2V5IC0tIDxsaW51eC1wYWNrYWdlc0B2bXdhcmUuY29tPoi8BBMB
AgAmBQJIA/5XAhsDBQkRcu4ZBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQwLXgq2b9SUkw
0AP/UlmWQIjMNcYfTKCOOyFxCsl3bY5OZ6HZs4qCRvzESVTyKs0YN1gX5YDDRmE5EbaqSO7O
LriA7p81CYhstYIDGjVTBqH/zJz/DGKQUv0A7qGvnX4MDt/cvvgEXjGpeRx42le/mkPsHdwb
G/8jKveYS/eu0g9IenS49i0hcOnjShGIRgQQEQIABgUCSAQWfAAKCRD1ZoIQEyn810LTAJ9k
IOziCqa/awfBvlLq4eRgN/NnkwCeJLOuL6eAueYjaODTcFEGKUXlgM4=
=bXtp
-----END PGP PUBLIC KEY BLOCK-----



> 2. Attach sosreport.

See attachment.

> 3. Attach other supporting data (if any).

None needed.

> 4. Provide issue reproduction information, including location and access of
> reproducer machine, if available.
> Location and access information for reproducer machine:
> Steps to reproduce the problem:

1. Install a RHEL4.4 machine
2. Execute as root:
rpm --import http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub
rpm -Kv http://packages.vmware.com/tools/esx/3.5u4/rhel4/i686/vmware-tools-7.4.7-158874.171375.el4.i686.rpm