From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-3 i686) Several RH 6.2 errata rpm packages can not be succesfully signature checked by an ordinary user, but root can do it. This behaviour started after upgrading to rpm 4.0.2 from rpm 3.0.x. Several packeges show this symptom, including xpdf, openssl, glibc, bind, ghostscript, imap-devel, netscape, openldap, pine, python, db3 and rpm See below for an example, with the latest pine package. This same bug could affect also installing third party rpms? Reproducible: Always Steps to Reproduce: 1. Verify that you have rpm 4.0.2 installed 2.run rpm --checksig --nogpg as root, for one of the failing packages, e.g. for the pine-4.33-6.6x.i386.rpm 3. run the same command as normal user for the same package Actual Results: rpm claims that the md5 signature is bad, if it was run by normal user. Even if the md5sum is identical, and the signature is recognized to be good when rpm is run by root Expected Results: It should be possible to verify signatures of RH errata even if not logged in as root $ rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm /tmp/pine-4.33-6.6x.i386.rpm: MD5 NOT OK $ md5sum /tmp/pine-4.33-6.6x.i386.rpm 56c85a7f1044e43030f5ee8bd0108515 /tmp/pine-4.33-6.6x.i386.rpm # rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm /tmp/pine-4.33-6.6x.i386.rpm: md5 OK # md5sum /tmp/pine-4.33-6.6x.i386.rpm 56c85a7f1044e43030f5ee8bd0108515 /tmp/pine-4.33-6.6x.i386.rpm
This problem could be caused by the owner and group of the files inside the rpm (cpio) archive - I checked one of the 'good' packages, it had uid / gid 0, but one of the failing packages had a nonzero uid/gid for all files?
This works for me: bash$ rpm --checksig --nogpg pine-4.33-6.6x.i386.rpm pine-4.33-6.6x.i386.rpm: md5 OK First the internal uid/gid is not the problem. Second, the md5sum checked by rpm is not at all the same as that generated by md5sum(1). The rpm md5sum applies to the header+payload, and the failure of the rpm md5sum indicates that the packages are corrupt. You can verify that the package(s) are corrupt independently of rpm by comparing the md5sum in the errata notice with the md5sum you are generating using md5sum(1).
So, why the package is "not corrupt", when checked by root user, but the same physical file is "corrupt" when checked by an ordinary user? If the exact same file is reported to be corrupt and not corrupt by the same rpm application, I'd say there us a bug in rpm - the file either is corrupt, or is not, it can't oscillate between those states depending on who runs the rpm --checksig.