Bug 186922 - signature verification via http broken after upgrade from U1 to U2
signature verification via http broken after upgrade from U1 to U2
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rpm (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
Mike McLean
: Regression
Depends On:
Blocks: 176344 198694
  Show dependency treegraph
 
Reported: 2006-03-27 09:49 EST by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version: RHBA-2007-0315
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 18:51:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
rpm-4.3-rpmio-bytesremain.patch (954 bytes, patch)
2006-03-27 09:49 EST, Bastien Nocera
no flags Details | Diff

  None (edit)
Description Bastien Nocera 2006-03-27 09:49:31 EST
Same as bug #138716 but for RHEL4.
Patch adapted from
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138716#c25 attached

+++ This bug was initially created as a clone of Bug #138716 +++

Description of problem:
Signature checking returns false negatives for some packages when queried via
HTTP. Backing out rpm and popt (to U1 revs) eliminates false positives.

Version-Release number of selected component (if applicable):
rpm-4.2.2-0.14

How reproducible:
Always

Steps to Reproduce:
1. Setup and start httpd on localhost (an RHEL3-U3 machine)
2. Place arptables_jf-0.0.7-0.3E.i386.rpm somewhere httpd will serve it
3. run 'rpm -Kv http://localhost/<path>/arptables_jf-0.0.7-0.3E.i386.rpm'
  
Actual results:
[root@hogwash root]# rpm -Kv http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm
http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm:
    Header V3 DSA signature: OK, key ID db42a60e
    Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82)
    MD5 digest: BAD Expected(820cd9dc0cb93108029c3b1b2afa97d5) !=
(26b0af6b001e752a2596610b80e19b4f)
    V3 DSA signature: BAD, key ID db42a60e
[root@hogwash root]#


Expected results:
http://localhost/foo/arptables_jf-0.0.7-0.3E.i386.rpm:
    Header V3 DSA signature: OK, key ID db42a60e
    Header SHA1 digest: OK (ed2335c4ca90a50d23bb59281fa74a9551962b82)
    MD5 digest: OK (820cd9dc0cb93108029c3b1b2afa97d5)
    V3 DSA signature: OK, key ID db42a60e
Comment 1 Bastien Nocera 2006-03-27 09:49:34 EST
Created attachment 126818 [details]
rpm-4.3-rpmio-bytesremain.patch
Comment 6 RHEL Product and Program Management 2006-08-18 12:22:31 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 RHEL Product and Program Management 2006-12-12 12:18:55 EST
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being marked as a blocker for this release.  

Please resolve ASAP.
Comment 10 RHEL Product and Program Management 2006-12-12 12:19:45 EST
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being marked as a blocker for this release.  

Please resolve ASAP.
Comment 13 Red Hat Bugzilla 2007-05-01 18:51:07 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0315.html

Note You need to log in before you can comment on or make changes to this bug.