upstream bug: can't rpm erase, package with invalid hash lodged inside rpmdb #2460 https://github.com/rpm-software-management/rpm/issues/2460 Description of problem: rpm query commands on invocation show annoying/distracting hash/digest errors. When using rpm I think there are two non-easily identifiable packages are messed up. The ```rpm -e``` erase option does not have a ```--nodigest``` argument unlike the install/upgrade/verify options. The below logs show that unnamed packages through up hashdigest errors. From the key signature ```a109b1ec``` I deduced the packages to be livna-release and libdvdcss. I recently did an upgrade from fedora-37 to fedora-38, For the most part, other than a few dependency hiccups with some packages like ffmpeg-libs, libplacebo, libchromapaint, which were resolved, the update went smoothly. Fedora-38 boots and works with no issues. So my question is, how can I fix this? Attempting to force install livna-release is also not possible I have tried moving out the gpgkeys manually from /etc/pki and /etc/yum.repos.d, no effect. Logs ``` [root@sirius livna]# rpm -qa > /dev/null # just to see the stderr error: rpmdbNextIterator: skipping h# 17 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK error: rpmdbNextIterator: skipping h# 19 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK [root@sirius livna]# rpm -e livna-release error: rpmdbNextIterator: skipping h# 17 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK [root@sirius livna]# rpm -e libdvdcss error: rpmdbNextIterator: skipping h# 19 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK [root@sirius livna]# rpm -e livna-release --nodeps --justdb error: rpmdbNextIterator: skipping h# 17 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK [root@sirius livna]# rpm -i ./livna-release-1-1.noarch.rpm error: ./livna-release-1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD error: ./livna-release-1-1.noarch.rpm cannot be installed [root@sirius livna]# rpm -i ./livna-release-1-1.noarch.rpm --force error: ./livna-release-1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD error: ./livna-release-1-1.noarch.rpm cannot be installed [root@sirius livna]# rpm -qa | grep -Ei "^rpm-4|rpm-l" error: rpmdbNextIterator: skipping h# 17 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK error: rpmdbNextIterator: skipping h# 19 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK rpm-libs-4.18.1-1.fc38.x86_64 rpm-4.18.1-1.fc38.x86_64 [root@sirius livna]# uname -a Linux sirius 6.2.8-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:29:30 UTC 2023 x86_64 GNU/Linux [root@sirius livna]# cat /etc/os-release | grep -E "^NAME=|^VERSION=" NAME="Fedora Linux" VERSION="38 (Workstation Edition Prerelease)" ``` Version-Release number of selected component (if applicable): rpm-4.18.1-1 How reproducible: Its not exactly redo-able on an already installed/upgraded machine. Seems like a one time thing if you get it into this state. Steps to Reproduce: See logs given above Actual results: See logs given above Expected results: no error message should be visible Additional info: none at the moment verbose argument -vvv doesn't show anything interesting, other than it reading other GPG keys.
Update to latest rpm-sequoia and crypto-policies. More details in bug 2170878. *** This bug has been marked as a duplicate of bug 2170878 ***
Thanks Panu LOGS [root@sirius livna]# rpm -qa >/dev/null error: rpmdbNextIterator: skipping h# 17 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK error: rpmdbNextIterator: skipping h# 19 Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD Header SHA1 digest: OK [root@sirius livna]# rpm -q --nosignature --querybynumber 17 livna-release-1-1.noarch [root@sirius livna]# rpm -q --nosignature --querybynumber 19 libdvdcss-1.4.0-1.fc24.remi.x86_64 [root@sirius livna]# rpm -e --nosignature libdvdcss-1.4.0-1.fc24.remi.x86_64 [root@sirius livna]# rpm -e --nosignature livna-release-1-1.noarch [root@sirius livna]# [root@sirius livna]# rpm -qa >/dev/null [root@sirius livna]# rpm -q crypto-policies rpm-sequoia crypto-policies-20230301-1.gita12f7b2.fc38.noarch rpm-sequoia-1.3.0-1.fc38.x86_64 [root@sirius livna]# update-crypto-policies --show DEFAULT MISC Collecting some links here found while reading 20230217 Insecure installed RPMs (like Google Chrome) prevent system updates in F38, can't be removed https://bugzilla.redhat.com/show_bug.cgi?id=2170878 : - 20230230 Kamil Páral Third-party RPMs with an invalid signing key might cause errors during package operations https://discussion.fedoraproject.org/t/third-party-rpms-with-an-invalid-signing-key-might-cause-errors-during-package-operations/80077 - 20230227 Kamil Páral Talk: Popular third-party RPMs fail to install/update/remove due to security policies verification https://discussion.fedoraproject.org/t/talk-popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70379/1 - 20230208 Kamil Páral Popular third-party RPMs fail to install/update/remove due to security policies verification https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498 - 20230330 Rebuild to pull in cryptographic fixes for RPM https://bugzilla.redhat.com/show_bug.cgi?id=2183038 - 20230131 Kevin/Nirik error: rpmdbNextIterator: skipping in Fedora 38+ https://www.scrye.com/wordpress/nirik/2023/01/31/error-rpmdbnextiterator-skipping-in-fedora-38/ I gather there are two options a) either add SHA1 to the crypto policy b) rpm-erase the troublesome apps, and wait for the repositories to update to stronger GPG keys