Red Hat Bugzilla – Bug 155079
rpm --checksig silently ignores nonexistent files
Last modified: 2007-11-30 17:11:04 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1
Description of problem:
"rpm --checksig filename-with-no-file" is silent. It should complain that the file is missing.
There is an indication of failure: rpm --checksig appears to set the exit status to the count of files with problems, including missing files. That is not documented in rpm(8). It is not normal for an exit status to be a count; it is dangerous since the status must be a small integer and could overflow easily.
$ rpm --checksig silly ; echo $?
$ rpm --checksig silly sally ; echo $?
$ rpm --checksig silly sally solly ; echo $?
$ rpm --checksig silly sally solly sully ; echo $?
$ rpm --checksig silly /dev/null ; echo $?
error: /dev/null: not an rpm package
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. rpm --checksig sillyname
2. echo status $?
Actual Results: output:
Expected Results: error: open of sillyname failed: No such file or directory
seems to go back to at least RHL8 (oldest system I have on at the moment).
Conversation from #rpm IRC channel:
<dhr> I am surprised that "rpm --checksig nonexistent_name" prints no diagnostic. Is this a misfeature?
<dhr> I am using rpm-4.3.2-21 on Fedora Core 3.
<jbj> dhr: yes, misfeature. meanwhile, --checksig is mostly pointless, signatures are always checked everwhere. and --checksig is popt alias which execs /usr/lib/rpm/rpmk, which is where the misfeature creeps in, pretending that same old, same old, "stuff" is useful.
<dhr> I use checksig to verify stuff downloaded to my repository/cache. I don't (immediately) use those rpms in any other way. So checksig appears to be the only sensible choice.
<jbj> dhr: rpm -qp mostly same as --checksig.
<dhr> jbj: thanks. Does not show what was checked (could add some --query-format, I guess).
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.
This bug/misfeature is still present in F7
I should have mentioned in #2 that I tested with rpm-4.4.2-46.fc7
[jbj@jack ~]$ rpm --checksig silly sally solly sully ; echo $?
[jbj@jack ~]$ rpm --version
RPM version 5.0
User firstname.lastname@example.org's account has been closed
Reassigning to owner after bugzilla made a mess, sorry about the noise...
[pmatilai@localhost rpm]$ ./rpmk --checksig doesntexist.rpm; echo $?
error: doesntexist.rpm: open failed: No such file or directory
Fixed upstream now.
rpm-188.8.131.52-2.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update rpm'
rpm-184.108.40.206-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.