Description of problem: Using rpm --checksig (or -K) on rpm 4.2.3+ sometimes yields bogus results if the RPM file is being accessed via HTTP. This seems likely to be a signal/syscall issue, but I will describe the problem further and let you decide. Version-Release number of selected component (if applicable): 4.2.3, 4.3.x How reproducible: The problem is intermittent on RHEL3 and Fedora Core 2. The problem may be most obvious on Fedora Core 3; I have a FC3 system with RPM 4.3.2-21 that always exhibits the problem. The other way to always get the problem is to run rpm under strace. The problem seems to occur more frequently if the HTTP access for the RPM is happening through an SSH tunnel. Steps to Reproduce: These commands were all executed within a few seconds of each other. There's nothing special about the abiword RPM, it's just an example. # uname -r 2.4.21-20.ELsmp # rpm -q rpm rpm-4.2.3-10 # rpm -Kv http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm: Header V3 DSA signature: OK, key ID 4f2a6fd2 Header SHA1 digest: OK (f719d75f79023959f00feeac281b5ac572058e51) MD5 digest: BAD Expected(5176710e9a2ff15d494578a85dd75cc8) != (a772d42f4591d9d98cd777113ff1c925) V3 DSA signature: BAD, key ID 4f2a6fd2 # rpm -Kv http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/abiword-2.0.12-3.i386.rpm: Header V3 DSA signature: OK, key ID 4f2a6fd2 Header SHA1 digest: OK (f719d75f79023959f00feeac281b5ac572058e51) MD5 digest: OK (5176710e9a2ff15d494578a85dd75cc8) V3 DSA signature: OK, key ID 4f2a6fd2 Actual results: Sometimes the RPM MD5/signature appear to be bad. Expected results: RPM should give a consistent good result in this case. Additional info: RPM 4.2.1 on Fedora Core 1 does not seem to suffer from this problem. It's even clean under strace, which is a guaranteed way to produce the problem on more recent versions. The problem does not affect signature verifications of files on local disk. One strace I ran on a check of a 97K RPM revealed that the process only ever read 36K worth of the file over the network, so something strange is definitely going on.
Already reported and investigating *** This bug has been marked as a duplicate of 138716 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.