Bug 144836 - RPM MD5/checksig verification fails intermittently over HTTP
Summary: RPM MD5/checksig verification fails intermittently over HTTP
Keywords:
Status: CLOSED DUPLICATE of bug 138716
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: rpm
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-11 20:41 UTC by Steve Snodgrass
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 19:07:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Steve Snodgrass 2005-01-11 20:41:24 UTC 
Description of problem: Using rpm --checksig (or -K) on rpm 4.2.3+
sometimes yields bogus results if the RPM file is being accessed via
HTTP.  This seems likely to be a signal/syscall issue, but I will
describe the problem further and let you decide.

Version-Release number of selected component (if applicable): 4.2.3, 4.3.x


How reproducible:

The problem is intermittent on RHEL3 and Fedora Core 2.  The problem
may be most obvious on Fedora Core 3; I have a FC3 system with RPM
4.3.2-21 that always exhibits the problem.  The other way to always
get the problem is to run rpm under strace.  The problem seems to
occur more frequently if the HTTP access for the RPM is happening
through an SSH tunnel.


Steps to Reproduce:

These commands were all executed within a few seconds of each other. 
There's nothing special about the abiword RPM, it's just an example.

# uname -r
2.4.21-20.ELsmp

# rpm -q rpm
rpm-4.2.3-10

# rpm -Kv
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm:
    Header V3 DSA signature: OK, key ID 4f2a6fd2
    Header SHA1 digest: OK (f719d75f79023959f00feeac281b5ac572058e51)
    MD5 digest: BAD Expected(5176710e9a2ff15d494578a85dd75cc8) !=
(a772d42f4591d9d98cd777113ff1c925)
    V3 DSA signature: BAD, key ID 4f2a6fd2

# rpm -Kv
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm:
    Header V3 DSA signature: OK, key ID 4f2a6fd2
    Header SHA1 digest: OK (f719d75f79023959f00feeac281b5ac572058e51)
    MD5 digest: OK (5176710e9a2ff15d494578a85dd75cc8)
    V3 DSA signature: OK, key ID 4f2a6fd2

  
Actual results:

Sometimes the RPM MD5/signature appear to be bad.

Expected results:

RPM should give a consistent good result in this case.

Additional info:

RPM 4.2.1 on Fedora Core 1 does not seem to suffer from this problem.
 It's even clean under strace, which is a guaranteed way to produce
the problem on more recent versions.  The problem does not affect
signature verifications of files on local disk.  One strace I ran on a
check of a 97K RPM revealed that the process only ever read 36K worth
of the file over the network, so something strange is definitely going on.
Comment 1 Paul Nasrat 2005-01-11 20:52:25 UTC 
Already reported and investigating

*** This bug has been marked as a duplicate of 138716 ***
Comment 2 Red Hat Bugzilla 2006-02-21 19:07:52 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.
Note You need to log in before you can comment on or make changes to this bug.