Description of problem: It seems like whenever I use rpm-4.2.1 to sign an rpm package made with version 3.0.3, it corrupts the package: $ rpm -qp RealPlayer-10.0.0.297-20040730.i386.rpm --qf '%{RPMVERSION}\n' 3.0.3 $ rpm -Kvvv RealPlayer-10.0.0.297-20040730.i386.rpm D: Expected size: 7793221 =lead(96)+sigs(68)+pad(4)+data(7793053) D: Actual size: 7793221 RealPlayer-10.0.0.297-20040730.i386.rpm: MD5 sum OK: b2f6d227c9300e8c825c5604a898a1bf $ rpm --define '_signature gpg' \ --define '_gpg_name myname' \ --define "_gpg_path /home/xyz/.gnupg" \ --addsign RealPlayer-10.0.0.297-20040730.i386.rpm $ rpm -Kvvv RealPlayer-10.0.0.297-20040730.i386.rpm error: RealPlayer-10.0.0.297-20040730.i386.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7 offset 48 count 16 Version-Release number of selected component (if applicable): Seems to be any version of rpm-4 Actual results: Package is un-usable after signing Expected results: rpm-4 should say "Hey, this is a package file in a 3.x rpm format, so I won't sign it"
Yup. Resigning packages produced by rpm-4.0.x does not work. Resign with the same version of rpm that built the package if you have to resign. FWIW, the only issue is the 61 tag marker that identifies a signature header immutable region, that could be easily fixed. The core issue for rpm is using header-only, rather than header+payload, signatures. It will probably take another year or so to complete that transition.
Surely it would be very easy to have rpm 4 simply recognize that the package file isn't of version 4, and refuse to sign it. header-only signatures will be nice in a year, but rpm could very simply perform the check now, and it would solve this problem
How many lines of code would that version check be? 4 or 5?
Maybe I wasn't clear... the bug isn't that "that doesn't work"... the bug is that we know it doesn't work, and rpm4 tries to do it anyway... AND ruins the package file in the process. The resulting rpm is unusable.
And I know it doesn't work as well. Resign with rpm-3.0.3 if you need to resign.
I find this very disturbing that an "Enterprise" quality OS will silently corrupt a package, rendering it useless, and RedHat's only response is to say "don't do that" and "we are not going fix it." How about putting some error detection code into rpm and bailing out of the signing operation instead of destroying the package file? How can you possibly justify your WONTFIX resolution? We have a RHN satellite server here, where we can create child channels and push packages to them. Right now, because of this bug, I cannot take rpm packages that I download from third parties, which happen to have been created with rpm v3, sign them and push them to our satellite server. To make matters worse, the attempted resigning will silently corrupt the rpm package itself. At the very least, rpm should warn of the incompatible rpm package format and exit without corrupting the file. A simple way of converting rpm packages from v3 to v4 would be a very usefull utility also. Without this conversion utility I have to do it manually with rpm2cpio or alien. I believe this is a reasonable expectation from an "Enterprise" quality OS! Why the stubborn insistence on not fixing this bug?
Exactly! RPM v4 knowingly corrupts old packages, even though it is trivial to detect the fact that they are made under version 3 and simply refuse to sign them. I understand maintianing rpm isn't easy, but this bug is SOOO easy to fix.
I am in full agreement with comment #6. Not being able to take a package from openoffice.org or EMC, sign it and push it out to a Satellite or Proxy server breaks the whole model.