Bug 36057 - With rpm 4.0.2, only root can '--checksig' some RH errata rpms succesfully
Summary: With rpm 4.0.2, only root can '--checksig' some RH errata rpms succesfully
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-04-16 15:22 UTC by Petri Piira
Modified: 2007-04-18 16:32 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-04-16 15:48:31 UTC
Embargoed:

Attachments (Terms of Use)

Description Petri Piira 2001-04-16 15:22:20 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-3 i686)


Several RH 6.2 errata rpm packages can not be succesfully signature checked
by an ordinary user, but root can do it. This behaviour started after
upgrading to rpm 4.0.2 from rpm 3.0.x. Several packeges show this symptom,
including xpdf, openssl, glibc, bind, ghostscript, imap-devel, netscape,
openldap, pine, python, db3 and rpm

See below for an example, with the latest pine package.

This same bug could affect also installing third party rpms?


Reproducible: Always
Steps to Reproduce:
1. Verify that you have rpm 4.0.2 installed
2.run rpm --checksig --nogpg as root, for one of the failing packages, e.g.
  for the pine-4.33-6.6x.i386.rpm
3. run the same command as normal user for the same package

	

Actual Results:  rpm claims that the md5 signature is bad, if it was run by
normal user. Even if
the md5sum is identical, and the signature is recognized to be good when
rpm is run by root

Expected Results:  It should be possible to verify signatures of RH errata
even if not logged in as root

$ rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm 
/tmp/pine-4.33-6.6x.i386.rpm: MD5 NOT OK
$ md5sum /tmp/pine-4.33-6.6x.i386.rpm 
56c85a7f1044e43030f5ee8bd0108515  /tmp/pine-4.33-6.6x.i386.rpm
# rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm 
/tmp/pine-4.33-6.6x.i386.rpm: md5 OK
# md5sum /tmp/pine-4.33-6.6x.i386.rpm 
56c85a7f1044e43030f5ee8bd0108515  /tmp/pine-4.33-6.6x.i386.rpm
Comment 1 Petri Piira 2001-04-16 15:48:27 UTC 
This problem could be caused by the owner and group of the files inside the rpm
(cpio) archive -
I checked one of the 'good' packages, it had uid / gid 0, but one of the failing
packages had a nonzero uid/gid for all files?
Comment 2 Jeff Johnson 2001-04-16 16:07:26 UTC 
This works for me:
  bash$ rpm --checksig --nogpg pine-4.33-6.6x.i386.rpm  
  pine-4.33-6.6x.i386.rpm: md5 OK

First the internal uid/gid is not the problem.

Second, the md5sum checked by rpm is not at all the
same as that generated by md5sum(1). The rpm md5sum
applies to the header+payload, and the failure of the
rpm md5sum indicates that the packages are corrupt.

You can verify that the package(s) are corrupt independently
of rpm by comparing the md5sum in the errata notice
with the md5sum you are generating using md5sum(1).
Comment 3 Petri Piira 2001-04-17 19:01:37 UTC 

So, why the package is "not corrupt", when checked by root user, but the same
physical
file is "corrupt" when checked by an ordinary user?

If the exact same file is reported to be corrupt and not corrupt by the same rpm
application,
I'd say there us a bug in rpm - the file either is corrupt, or is not, it can't
oscillate
between those states depending on who runs the rpm --checksig.
Note You need to log in before you can comment on or make changes to this bug.