Description of problem: sha checksum of cvs-package seems do be different from the checksum in repodata/primary.xml.gz How reproducible: $ sha1sum cvs-1.11.1p1-7.i386.rpm 06fc933f5fca5ee8c13d97d0ea320ab8f9ba57a0 cvs-1.11.1p1-7.i386.rpm $ gunzip primary.xml.gz $ grep 06fc933f5fca5ee8c13d97d0ea320ab8f9ba57a0 primary.xml Actual results: The sha checksum in primary.xml.gz is 46da2ca673b3af8a08eab8b1d4322e0d6a9d08ad Expected results: The sha checksum in primary.xml.gz is 06fc933f5fca5ee8c13d97d0ea320ab8f9ba57a0 Additional info:
I verified that this is indeed the case here. I don't know why. In all other cases I looked at, the file sha1sum of the i386.rpm package matches the value inside the primary.xml.gz repodata file. Jesse - do we need to regenerate the repodata for RHL 7.3 on the Fedora Legacy's build server? My findings: ----<http://download.fedoralegacy.org/redhat/7.3/os/i386/repodata/primary.xml.gz>----- ... <package type="rpm"> <name>cvs</name> <arch>i386</arch> <version epoch="0" ver="1.11.1p1" rel="7"/> <checksum type="sha" pkgid="YES">46da2ca673b3af8a08eab8b1d4322e0d6a9d08ad</checksum> ... -------------------------------------------------------------------------------------- $ sha1sum cvs-1.11.1p1-7.i386.rpm 06fc933f5fca5ee8c13d97d0ea320ab8f9ba57a0 cvs-1.11.1p1-7.i386.rpm
By the way, doing an "rpm --checksig" on the cvs.1.11.1p1-7.i386.rpm package indicates that the package has *not* been tampered with. It passes verification okay. So that indicates a problem with whatever created the repodata, not with the package itself.
Metadata regenerated.
Verified - checksum in regenerated metadata in primary.xml.gz for the RHL 7.3 cvs-1.11.1p1-7.i386.rpm package now matches the sha1sum of the package. Thanks, Jesse! And thanks for bringing this to our attention, Rolf! :)