Red Hat Bugzilla – Bug 36057
With rpm 4.0.2, only root can '--checksig' some RH errata rpms succesfully
Last modified: 2007-04-18 12:32:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-3 i686)
Several RH 6.2 errata rpm packages can not be succesfully signature checked
by an ordinary user, but root can do it. This behaviour started after
upgrading to rpm 4.0.2 from rpm 3.0.x. Several packeges show this symptom,
including xpdf, openssl, glibc, bind, ghostscript, imap-devel, netscape,
openldap, pine, python, db3 and rpm
See below for an example, with the latest pine package.
This same bug could affect also installing third party rpms?
Steps to Reproduce:
1. Verify that you have rpm 4.0.2 installed
2.run rpm --checksig --nogpg as root, for one of the failing packages, e.g.
for the pine-4.33-6.6x.i386.rpm
3. run the same command as normal user for the same package
Actual Results: rpm claims that the md5 signature is bad, if it was run by
normal user. Even if
the md5sum is identical, and the signature is recognized to be good when
rpm is run by root
Expected Results: It should be possible to verify signatures of RH errata
even if not logged in as root
$ rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm
/tmp/pine-4.33-6.6x.i386.rpm: MD5 NOT OK
$ md5sum /tmp/pine-4.33-6.6x.i386.rpm
# rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm
/tmp/pine-4.33-6.6x.i386.rpm: md5 OK
# md5sum /tmp/pine-4.33-6.6x.i386.rpm
This problem could be caused by the owner and group of the files inside the rpm
(cpio) archive -
I checked one of the 'good' packages, it had uid / gid 0, but one of the failing
packages had a nonzero uid/gid for all files?
This works for me:
bash$ rpm --checksig --nogpg pine-4.33-6.6x.i386.rpm
pine-4.33-6.6x.i386.rpm: md5 OK
First the internal uid/gid is not the problem.
Second, the md5sum checked by rpm is not at all the
same as that generated by md5sum(1). The rpm md5sum
applies to the header+payload, and the failure of the
rpm md5sum indicates that the packages are corrupt.
You can verify that the package(s) are corrupt independently
of rpm by comparing the md5sum in the errata notice
with the md5sum you are generating using md5sum(1).
So, why the package is "not corrupt", when checked by root user, but the same
file is "corrupt" when checked by an ordinary user?
If the exact same file is reported to be corrupt and not corrupt by the same rpm
I'd say there us a bug in rpm - the file either is corrupt, or is not, it can't
between those states depending on who runs the rpm --checksig.