adding additional signatures seems to be broken with rpm 4.0.2. 1012 katzj@rivendell:~> rpm -Kv xinetd-2.1.8.9pre11-1.i386.rpm xinetd-2.1.8.9pre11-1.i386.rpm: MD5 sum OK: c8ec559183ae44966e21c8820aacaa6a gpg: Warning: using insecure memory! gpg: Signature made Thu 19 Oct 2000 02:30:07 PM EDT using DSA key ID DB42A60E gpg: Good signature from "Red Hat, Inc <security>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: CA20 8686 2BD6 9DFC 65F6 ECC4 2191 80CD DB42 A60E 1013 katzj@rivendell:~> rpm --addsign xinetd-2.1.8.9pre11-1.i386.rpm Enter pass phrase: Pass phrase is good. xinetd-2.1.8.9pre11-1.i386.rpm: gpg: Warning: using insecure memory! 1014 katzj@rivendell:~> rpm -Kvv xinetd-2.1.8.9pre11-1.i386.rpm D: Expected size: 106724 = lead(96)+sigs(229)+pad(3)+data(106396) D: Actual size: 106756 error: xinetd-2.1.8.9pre11-1.i386.rpm: rpmReadSignature failed
This defect is considered MUST-FIX for Florence Beta-3
Note that this only happens when you have an RPM which was created and signed by an older version of RPM that you then add a signature too. In this case, the HEADER_IMAGE tag exists, but we don't want to subtract the offset from the sigsize
This is a legacy issue with old packages, sign with rpm-4.0 or earlier as workaround. Deferred until after 7.1.
This should be fixed in rpm-4.0.2 final.