Bug 25050 - rpm-4.0-4.3 detects no signatures on any package.
Summary: rpm-4.0-4.3 detects no signatures on any package.
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm   
(Show other bugs)
Version: 7.0
Hardware: alpha
OS: Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2001-01-26 22:36 UTC by Gregory McLean
Modified: 2007-04-18 16:30 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-26 22:36:44 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Gregory McLean 2001-01-26 22:36:29 UTC
On the alpha running rpm to verify a packages integrity is not possible as
rpm fails to find any signatures.

Official RPM from ftp.redhat.com

rpm -vv -K XFree86-100dpi-fonts-4.0.2-1.i386.rpm 
D: No signature
XFree86-100dpi-fonts-4.0.2-1.i386.rpm: No signature available

One generated and signed on the alpha:
 rpm -vv -K grip-2.95-2.alpha.rpm 
D: No signature
grip-2.95-2.alpha.rpm: No signature available

Checking same packages on an Intel box shows the packages are signed:
(or have at least an MD5 sum)

rpm -vv --checksig XFree86-100dpi-fonts-4.0.2-1.i386.rpm 
D: New Header signature
D: Signature size: 100
D: Signature pad : 4
D: sigsize         : 104
D: Header + Archive: 1274462
D: expected size   : 1274462
MD5 sum OK: 806b5b0422877eb03cdca81792562897

 rpm -vv -K grip-2.95-2.alpha.rpm 
D: New Header signature
D: Signature size: 366
D: Signature pad : 2
D: sigsize         : 368
D: Header + Archive: 240432
D: expected size   : 240432
MD5 sum OK: ef544b423a954d3dad8b4bfeb7a59952
gpg: Warning: using insecure memory!
gpg: Signature made Wed 17 Jan 2001 07:25:20 PM EST using ELG key ID E94D1363
gpg: Good signature from "Gregory McLean <gregm@gxsnmp.org>"
gpg:                 aka "Gregory McLean <gregm@comstar.net>"
gpg:                 aka "Gregory McLean <gregm@gnu.org>"
gpg:                 aka "Gregory McLean (Work Identity) <gmclean@globix.net>"

This prevents things like up2date from verifying packages and brings into
question the packages downloaded.

Comment 1 Jeff Johnson 2001-01-31 14:41:23 UTC
This is gcc miscompilink rpm. The gcc bug has been fixed in gcc-2.96-60
(although you
want to use gcc-2.96-70 or later because of another bug) IIRC, and there are
attempts to
avoid the problem in rpm-4.0.1 and later. You can get rpm-4.0.1 at the moment

Note You need to log in before you can comment on or make changes to this bug.