Bug 144836 - RPM MD5/checksig verification fails intermittently over HTTP
RPM MD5/checksig verification fails intermittently over HTTP
Status: CLOSED DUPLICATE of bug 138716
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: rpm (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-11 15:41 EST by Steve Snodgrass
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 14:07:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Snodgrass 2005-01-11 15:41:24 EST
Description of problem: Using rpm --checksig (or -K) on rpm 4.2.3+
sometimes yields bogus results if the RPM file is being accessed via
HTTP.  This seems likely to be a signal/syscall issue, but I will
describe the problem further and let you decide.

Version-Release number of selected component (if applicable): 4.2.3, 4.3.x


How reproducible:

The problem is intermittent on RHEL3 and Fedora Core 2.  The problem
may be most obvious on Fedora Core 3; I have a FC3 system with RPM
4.3.2-21 that always exhibits the problem.  The other way to always
get the problem is to run rpm under strace.  The problem seems to
occur more frequently if the HTTP access for the RPM is happening
through an SSH tunnel.


Steps to Reproduce:

These commands were all executed within a few seconds of each other. 
There's nothing special about the abiword RPM, it's just an example.

# uname -r
2.4.21-20.ELsmp

# rpm -q rpm
rpm-4.2.3-10

# rpm -Kv
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm:
    Header V3 DSA signature: OK, key ID 4f2a6fd2
    Header SHA1 digest: OK (f719d75f79023959f00feeac281b5ac572058e51)
    MD5 digest: BAD Expected(5176710e9a2ff15d494578a85dd75cc8) !=
(a772d42f4591d9d98cd777113ff1c925)
    V3 DSA signature: BAD, key ID 4f2a6fd2

# rpm -Kv
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm:
    Header V3 DSA signature: OK, key ID 4f2a6fd2
    Header SHA1 digest: OK (f719d75f79023959f00feeac281b5ac572058e51)
    MD5 digest: OK (5176710e9a2ff15d494578a85dd75cc8)
    V3 DSA signature: OK, key ID 4f2a6fd2

  
Actual results:

Sometimes the RPM MD5/signature appear to be bad.

Expected results:

RPM should give a consistent good result in this case.

Additional info:

RPM 4.2.1 on Fedora Core 1 does not seem to suffer from this problem.
 It's even clean under strace, which is a guaranteed way to produce
the problem on more recent versions.  The problem does not affect
signature verifications of files on local disk.  One strace I ran on a
check of a 97K RPM revealed that the process only ever read 36K worth
of the file over the network, so something strange is definitely going on.
Comment 1 Paul Nasrat 2005-01-11 15:52:25 EST
Already reported and investigating

*** This bug has been marked as a duplicate of 138716 ***
Comment 2 Red Hat Bugzilla 2006-02-21 14:07:52 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.