Description of problem: Signature checking returns false negatives for some packages when queried via HTTP. Backing out rpm and popt (to U1 revs) eliminates false positives. Version-Release number of selected component (if applicable): rpm-4.2.2-0.14 How reproducible: Always Steps to Reproduce: 1. Setup and start httpd on localhost (an RHEL3-U3 machine) 2. Place arptables_jf-0.0.7-0.3E.i386.rpm somewhere httpd will serve it 3. run 'rpm -Kv http://localhost/<path>/arptables_jf-0.0.7-0.3E.i386.rpm' Actual results: [root@hogwash root]# rpm -Kv http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm: Header V3 DSA signature: OK, key ID db42a60e Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82) MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) != (26b0af6b001e752a2596610b80e19b4f) V3 DSA signature: BAD, key ID db42a60e [root@hogwash root]# Expected results: http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm: Header V3 DSA signature: OK, key ID db42a60e Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82) MD5 digest: OK (820cd9dc0cb93108029c3b1b2afa97d5) V3 DSA signature: OK, key ID db42a60e Additional info:
*** Bug 138901 has been marked as a duplicate of this bug. ***
Just an update - I can reproduce. Can others confirm if it works using --nolibio rpm -K http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm: (sha1) dsa sha1 MD5 GPG NOT OK rpm --nolibio -K http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm: (sha1) dsa sha1 md5 gpg OK
Same for me here, rpm -K sporadically says "NOT OK", if I add --nolibio it seems to always say "OK" -- ezio
Created attachment 109570 [details] strace of working rpm --nolibio -K Note we read lead+sigh[96 + 16 + 328] hdr[16 +3984] store [84038]
Created attachment 109571 [details] strace of failing rpm -K Note the short read on the store [ 96 + 16 + 328 ] [ 16 + 3984 ] store [ 26886 ] If we read the rpm to the length we get the same actual MD5 rpm -Kv http://porkchop.devel.redhat.com/beehive/comps/dist/3.0E-U2/arptables_jf/0.0.7-0.3E/i386/arptables_jf-0.0.7-0.3E.i386.rpm MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) != (26b0af6b001e752a2596610b80e19b4f) dd if=arptables_jf-0.0.7-0.3E.i386.rpm of=bar bs=1 count=31326 rpm -Kv bar | grep MD5 MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) != (26b0af6b001e752a2596610b80e19b4f)
Note fails with same actual MD5 digest using ftp also, persuing some suggestions from jbj in fdReadable
From rpmiodebug ==> fdRead(0x8567df8,0xb73df000,8192) rc 8192 clen 51462 | LIBIO 0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048 ==> fdRead(0x8567df8,0xb73df000,8192) rc 8192 clen 26886 | LIBIO 0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048 ==> fdRead(0x8567df8,0xb73df000,8192) rc 8192 clen 2310 | LIBIO 0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048 ==> fdRead(0x8567df8,0xb73df000,8192) rc 2310 clen 0 | LIBIO 0x856a048(-1) fdno -1 | UFD 3 fp 0x856a048
*** Bug 144836 has been marked as a duplicate of this bug. ***
With the help of Jeff Johnson we've tracked this down and have a proposed fix. Target U5
FYI, the --nolibio workaround doesn't appear to me to have any effect on the problem. I'm not sure if this is significant to the proposed fix or not.
Steve can you attach the stderr from both rpm --rpmiodebug --nolibio -Kv http://URL/foo.rpm rpm --rpmiodebug -Kv http://URL/foo.rpm
Created attachment 109671 [details] Successful verification with rpm --rpmiodebug -Kv
Created attachment 109672 [details] Failed verification with rpm --rpmiodebug -Kv
Created attachment 109673 [details] Failed vertification with rpm --rpmiodebug --nolibio -Kv
I'm pretty sure the fix should work for both cases for you as it fixes the clen decrementing incorrectly which you're seeing in your nolibio case too.
I ran into this same problem with rpm -qp ftp:// on FC2 and FC3. Jeff Johnson gave me a patch from CVS that fixes the problem for me on FC3 rpm-4.3.2-21. It would be nice if FC2/3 updates could be released with this fix included.
Created attachment 110028 [details] rpmio fix for bytesRemain updated multiple times in fdstat_exit
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-147.html