Bug 134146 - signing v3.0.3 rpm packages with rpm-4.2.1 corrupts them
signing v3.0.3 rpm packages with rpm-4.2.1 corrupts them
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: rpm (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-29 16:18 EDT by Joshua Jensen
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-29 19:15:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joshua Jensen 2004-09-29 16:18:39 EDT
Description of problem:

It seems like whenever I use rpm-4.2.1 to sign an rpm package made
with version 3.0.3, it corrupts the package:

$ rpm -qp RealPlayer-10.0.0.297-20040730.i386.rpm --qf '%{RPMVERSION}\n'
3.0.3

$ rpm -Kvvv RealPlayer-10.0.0.297-20040730.i386.rpm
D: Expected size:      7793221 =lead(96)+sigs(68)+pad(4)+data(7793053)
D:   Actual size:      7793221
RealPlayer-10.0.0.297-20040730.i386.rpm:
MD5 sum OK: b2f6d227c9300e8c825c5604a898a1bf

$ rpm --define '_signature gpg' \
      --define '_gpg_name myname' \
      --define "_gpg_path /home/xyz/.gnupg" \
      --addsign RealPlayer-10.0.0.297-20040730.i386.rpm

$ rpm -Kvvv RealPlayer-10.0.0.297-20040730.i386.rpm                  
                                                             
error: RealPlayer-10.0.0.297-20040730.i386.rpm: rpmReadSignature
failed: region trailer: BAD, tag 61 type 7 offset 48 count 16


Version-Release number of selected component (if applicable):

Seems to be any version of rpm-4


Actual results:

Package is un-usable after signing

Expected results:

rpm-4 should say "Hey, this is a package file in a 3.x rpm format, so
I won't sign it"
Comment 1 Jeff Johnson 2004-09-29 17:16:17 EDT
Yup. Resigning packages produced by rpm-4.0.x does not
work. Resign with the same version of rpm that built
the package if you have to resign.

FWIW, the only issue is the 61 tag marker that identifies
a signature header immutable region, that could be easily
fixed.

The core issue for rpm is using header-only, rather than header+payload,
signatures. It will probably take another year or so to complete that
transition.
Comment 2 Joshua Jensen 2004-09-29 17:19:27 EDT
Surely it would be very easy to have rpm 4 simply recognize that the
package file isn't of version 4, and refuse to sign it.  header-only
signatures will be nice in a year, but rpm could very simply perform
the check now, and it would solve this problem
Comment 3 Joshua Jensen 2004-09-29 17:21:13 EDT
How many lines of code would that version check be?  4 or 5?
Comment 4 Joshua Jensen 2004-09-29 17:38:54 EDT
Maybe I wasn't clear... the bug isn't that "that doesn't work"... the
bug is that we know it doesn't work, and rpm4 tries to do it anyway...
AND ruins the package file in the process.  The resulting rpm is unusable.
Comment 5 Jeff Johnson 2004-09-29 19:15:04 EDT
And I know it doesn't work as well. Resign with rpm-3.0.3
if you need to resign.
Comment 6 Jason Smith 2005-02-02 11:22:23 EST
I find this very disturbing that an "Enterprise" quality OS will
silently corrupt a package, rendering it useless, and RedHat's only
response is to say "don't do that" and "we are not going fix it."  How
about putting some error detection code into rpm and bailing out of
the signing operation instead of destroying the package file?  How can
you possibly justify your WONTFIX resolution?

We have a RHN satellite server here, where we can create child
channels and push packages to them.  Right now, because of this bug, I
cannot take rpm packages that I download from third parties, which
happen to have been created with rpm v3, sign them and push them to
our satellite server.  To make matters worse, the attempted resigning
will silently corrupt the rpm package itself.

At the very least, rpm should warn of the incompatible rpm package
format and exit without corrupting the file.  A simple way of
converting rpm packages from v3 to v4 would be a very usefull utility
also.  Without this conversion utility I have to do it manually with
rpm2cpio or alien.

I believe this is a reasonable expectation from an "Enterprise"
quality OS!  Why the stubborn insistence on not fixing this bug?
Comment 7 Joshua Jensen 2005-02-02 12:07:03 EST
Exactly!  RPM v4 knowingly corrupts old packages, even though it is
trivial to detect the fact that they are made under version 3 and
simply refuse to sign them.  I understand maintianing rpm isn't easy,
but this bug is SOOO easy to fix.
Comment 8 David Johnson 2006-08-17 15:42:51 EDT
I am in full agreement with comment #6.  Not being able to take a package
from openoffice.org or EMC, sign it and push it out to a Satellite or Proxy
server breaks the whole model.

Note You need to log in before you can comment on or make changes to this bug.