Bug 134146 - signing v3.0.3 rpm packages with rpm-4.2.1 corrupts them
Summary: signing v3.0.3 rpm packages with rpm-4.2.1 corrupts them
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: rpm   
(Show other bugs)
Version: 3.0
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: Mike McLean
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-09-29 20:18 UTC by Joshua Jensen
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-29 23:15:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Joshua Jensen 2004-09-29 20:18:39 UTC
Description of problem:

It seems like whenever I use rpm-4.2.1 to sign an rpm package made
with version 3.0.3, it corrupts the package:

$ rpm -qp RealPlayer-10.0.0.297-20040730.i386.rpm --qf '%{RPMVERSION}\n'
3.0.3

$ rpm -Kvvv RealPlayer-10.0.0.297-20040730.i386.rpm
D: Expected size:      7793221 =lead(96)+sigs(68)+pad(4)+data(7793053)
D:   Actual size:      7793221
RealPlayer-10.0.0.297-20040730.i386.rpm:
MD5 sum OK: b2f6d227c9300e8c825c5604a898a1bf

$ rpm --define '_signature gpg' \
      --define '_gpg_name myname' \
      --define "_gpg_path /home/xyz/.gnupg" \
      --addsign RealPlayer-10.0.0.297-20040730.i386.rpm

$ rpm -Kvvv RealPlayer-10.0.0.297-20040730.i386.rpm                  
                                                             
error: RealPlayer-10.0.0.297-20040730.i386.rpm: rpmReadSignature
failed: region trailer: BAD, tag 61 type 7 offset 48 count 16


Version-Release number of selected component (if applicable):

Seems to be any version of rpm-4


Actual results:

Package is un-usable after signing

Expected results:

rpm-4 should say "Hey, this is a package file in a 3.x rpm format, so
I won't sign it"

Comment 1 Jeff Johnson 2004-09-29 21:16:17 UTC
Yup. Resigning packages produced by rpm-4.0.x does not
work. Resign with the same version of rpm that built
the package if you have to resign.

FWIW, the only issue is the 61 tag marker that identifies
a signature header immutable region, that could be easily
fixed.

The core issue for rpm is using header-only, rather than header+payload,
signatures. It will probably take another year or so to complete that
transition.

Comment 2 Joshua Jensen 2004-09-29 21:19:27 UTC
Surely it would be very easy to have rpm 4 simply recognize that the
package file isn't of version 4, and refuse to sign it.  header-only
signatures will be nice in a year, but rpm could very simply perform
the check now, and it would solve this problem

Comment 3 Joshua Jensen 2004-09-29 21:21:13 UTC
How many lines of code would that version check be?  4 or 5?

Comment 4 Joshua Jensen 2004-09-29 21:38:54 UTC
Maybe I wasn't clear... the bug isn't that "that doesn't work"... the
bug is that we know it doesn't work, and rpm4 tries to do it anyway...
AND ruins the package file in the process.  The resulting rpm is unusable.

Comment 5 Jeff Johnson 2004-09-29 23:15:04 UTC
And I know it doesn't work as well. Resign with rpm-3.0.3
if you need to resign.

Comment 6 Jason Smith 2005-02-02 16:22:23 UTC
I find this very disturbing that an "Enterprise" quality OS will
silently corrupt a package, rendering it useless, and RedHat's only
response is to say "don't do that" and "we are not going fix it."  How
about putting some error detection code into rpm and bailing out of
the signing operation instead of destroying the package file?  How can
you possibly justify your WONTFIX resolution?

We have a RHN satellite server here, where we can create child
channels and push packages to them.  Right now, because of this bug, I
cannot take rpm packages that I download from third parties, which
happen to have been created with rpm v3, sign them and push them to
our satellite server.  To make matters worse, the attempted resigning
will silently corrupt the rpm package itself.

At the very least, rpm should warn of the incompatible rpm package
format and exit without corrupting the file.  A simple way of
converting rpm packages from v3 to v4 would be a very usefull utility
also.  Without this conversion utility I have to do it manually with
rpm2cpio or alien.

I believe this is a reasonable expectation from an "Enterprise"
quality OS!  Why the stubborn insistence on not fixing this bug?

Comment 7 Joshua Jensen 2005-02-02 17:07:03 UTC
Exactly!  RPM v4 knowingly corrupts old packages, even though it is
trivial to detect the fact that they are made under version 3 and
simply refuse to sign them.  I understand maintianing rpm isn't easy,
but this bug is SOOO easy to fix.

Comment 8 David Johnson 2006-08-17 19:42:51 UTC
I am in full agreement with comment #6.  Not being able to take a package
from openoffice.org or EMC, sign it and push it out to a Satellite or Proxy
server breaks the whole model.


Note You need to log in before you can comment on or make changes to this bug.