Bug 155079 - rpm --checksig silently ignores nonexistent files
Summary: rpm --checksig silently ignores nonexistent files
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: 7
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Panu Matilainen
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-16 00:44 UTC by D. Hugh Redelmeier
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-10-24 07:14:07 UTC
Type: ---

Attachments (Terms of Use)

Description D. Hugh Redelmeier 2005-04-16 00:44:44 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
"rpm --checksig filename-with-no-file" is silent.  It should complain that the file is missing.

There is an indication of failure: rpm --checksig appears to set the exit status to the count of files with problems, including missing files.  That is not documented in rpm(8).  It is not normal for an exit status to be a count; it is dangerous since the status must be a small integer and could overflow easily.

$ rpm --checksig silly ; echo $?
$ rpm --checksig silly sally ; echo $?
$ rpm --checksig silly sally solly ; echo $?
$ rpm --checksig silly sally solly sully ; echo $?
$ rpm --checksig silly /dev/null ; echo $?
error: /dev/null: not an rpm package

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  rpm --checksig sillyname
2.  echo status $?

Actual Results:  output:
status 1

Expected Results:  error: open of sillyname failed: No such file or directory
status 1

Additional info:

seems to go back to at least RHL8 (oldest system I have on at the moment).

Conversation from #rpm IRC channel:
<dhr> I am surprised that "rpm --checksig nonexistent_name" prints no diagnostic.  Is this a misfeature?
<dhr> I am using rpm-4.3.2-21 on Fedora Core 3.
<jbj> dhr: yes, misfeature. meanwhile, --checksig is mostly pointless, signatures are always checked everwhere. and --checksig is popt alias which execs /usr/lib/rpm/rpmk, which is where the misfeature creeps in, pretending that same old, same old, "stuff" is useful.
<dhr> I use checksig to verify stuff downloaded to my repository/cache.  I don't (immediately) use those rpms in any other way.  So checksig appears to be the only sensible choice.
<jbj> dhr: rpm -qp mostly same as --checksig.
<dhr> jbj: thanks.  Does not show what was checked (could add some --query-format, I guess).

Comment 1 Matthew Miller 2006-07-10 23:23:13 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Comment 2 D. Hugh Redelmeier 2007-07-05 14:45:09 UTC
This bug/misfeature is still present in F7

Comment 3 D. Hugh Redelmeier 2007-07-05 14:52:52 UTC
I should have mentioned in #2 that I tested with rpm-4.4.2-46.fc7

Comment 4 Jeff Johnson 2007-07-05 15:31:36 UTC
[jbj@jack ~]$ rpm --checksig silly sally solly sully ; echo $?
[jbj@jack ~]$ rpm --version
RPM version 5.0

Comment 5 Red Hat Bugzilla 2007-08-21 05:19:53 UTC
User pnasrat's account has been closed

Comment 6 Panu Matilainen 2007-08-22 06:31:54 UTC
Reassigning to owner after bugzilla made a mess, sorry about the noise...

Comment 7 Panu Matilainen 2007-09-04 07:24:54 UTC
[pmatilai@localhost rpm]$ ./rpmk --checksig doesntexist.rpm; echo $?
error: doesntexist.rpm: open failed: No such file or directory

Fixed upstream now.

Comment 8 Fedora Update System 2007-10-12 20:02:34 UTC
rpm- has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rpm'

Comment 9 Fedora Update System 2007-10-24 07:13:54 UTC
rpm- has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.