Bug 1480492 - rpm 4.13.0 cannot read signature headers made by rpm 4.13.90
rpm 4.13.0 cannot read signature headers made by rpm 4.13.90
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: packaging-team-maint
Fedora Extras Quality Assurance
:
Depends On: 1480407 1480493
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-11 05:10 EDT by Panu Matilainen
Modified: 2017-08-23 15:54 EDT (History)
9 users (show)

See Also:
Fixed In Version: rpm-4.13.0.1-6.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1480407
Environment:
Last Closed: 2017-08-23 15:54:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Panu Matilainen 2017-08-11 05:10:37 EDT
+++ This bug was initially created as a clone of Bug #1480407 +++

Description of problem:
RPMs generated by RPM 4.13.90 seem to have signature headers that cannot be parsed by 4.13.0.1.


Version-Release number of selected component (if applicable):
rpm-4.13.90-0.git14002.1.fc27  (generated rpm file)
rpm-4.13.0.1-41.fc27  (trying to read rpm file)

How reproducible:
Consistent

Steps to Reproduce:
1. Get an RPM built with rpm-4.13.90 (e.g. https://kojipkgs.fedoraproject.org//packages/net-snmp/5.7.3/24.fc27/aarch64/net-snmp-debugsource-5.7.3-24.fc27.aarch64.rpm)
2. Run rpm -K on it with 4.13.0.1

Actual results:
rpm -K net-snmp-debugsource-5.7.3-24.fc27.armv7hl.rpm
net-snmp-debugsource-5.7.3-24.fc27.armv7hl.rpm: sha1 ?UnknownSigatureType? md5 NOT OK

Expected results:
rpm -K net-snmp-debugsource-5.7.3-23.fc27.aarch64.rpm
net-snmp-debugsource-5.7.3-23.fc27.aarch64.rpm: sha1 md5 OK

Additional info:
Note that the Expected output is generated with an RPM built with RPM 4.13.0.

--- Additional comment from Igor Gnatenko on 2017-08-11 01:46:48 EDT ---

[brain@ignatenko-w541 rpm]$ ./rpmkeys -Kv /home/brain/rpmbuild/RPMS/noarch/dummy-1.0-1.fc27.noarch.rpm
/home/brain/rpmbuild/RPMS/noarch/dummy-1.0-1.fc27.noarch.rpm:
    Header SHA1 digest: OK
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK
[brain@ignatenko-w541 rpm]$ rpmkeys -Kv /home/brain/rpmbuild/RPMS/noarch/dummy-1.0-1.fc27.noarch.rpm
/home/brain/rpmbuild/RPMS/noarch/dummy-1.0-1.fc27.noarch.rpm:
    Header SHA1 digest: OK (e03b0b919aa8c3fb3870eebade5aa59333fa6527)
    Verify signature: BAD PARAMETERS (273 0xa210889e21 1 (nil) (nil))
    MD5 digest: OK (57427666af776b18899b02944a9badf7)

--- Additional comment from Panu Matilainen on 2017-08-11 02:11:29 EDT ---

Okay, funnily enough this is actually a bug in 4.13 which doesn't skip unknown elements in the signature header the way it should, 4.11 and 4.12 have no problems verifying the package(s). This seems to fix it (against 4.13.0.1), but I need to test it some more (I've only into first cup of coffee this morning):

diff --git a/lib/signature.c b/lib/signature.c
index 1b9fe345f..41bf85893 100644
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -71,6 +71,7 @@ rpmRC rpmSigInfoParse(rpmtd td, const char *origin,
        break;
     default:
        /* anything unknown just falls through for now */
+       sinfo->type = RPMSIG_OTHER_TYPE;
        break;
     }
 

Which Fedora version is used for signing? F26?

--- Additional comment from Panu Matilainen on 2017-08-11 02:32:11 EDT ---

So, the exact problem is that rpm 4.13 fails to ignore the unknown SHA256 header digest in rpmkeys -K, which is what the above one-liner fixes. Everything else works fine even without the patch, actual signing included.

Basically the choices are
a) hot-patch whatever is doing the signing with the one-liner
b) hot-patch 4.14 to not generate the SHA256 digest until we have fixed the other fedora versions

--- Additional comment from Panu Matilainen on 2017-08-11 03:02:13 EDT ---

After the second cup of coffee the choice is pretty obvious: time is of the essence, and b) buys as much as we need for practically no cost.

So I've disabled SHA256 header digest generation in rpm 4.14 for now:
https://src.fedoraproject.org/rpms/rpm/c/14f55d6b2238ecb49c57a8a27db022a9d939637e?branch=master
This lets us deal with the older versions at leisure instead of paniced running around in circles.

Recommencing rebuilds with the patched 4.14.
Comment 1 Fedora Update System 2017-08-16 09:26:26 EDT
rpm-4.13.0.1-6.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-33d34f3f6b
Comment 2 Fedora Update System 2017-08-16 09:31:16 EDT
rpm-4.13.0.1-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e9a1ddb533
Comment 3 Fedora Update System 2017-08-19 14:52:57 EDT
rpm-4.13.0.1-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-33d34f3f6b
Comment 4 Fedora Update System 2017-08-23 15:54:33 EDT
rpm-4.13.0.1-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.