Bug 36057 - With rpm 4.0.2, only root can '--checksig' some RH errata rpms succesfully
With rpm 4.0.2, only root can '--checksig' some RH errata rpms succesfully
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2001-04-16 11:22 EDT by Petri Piira
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-16 11:48:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petri Piira 2001-04-16 11:22:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-3 i686)

Several RH 6.2 errata rpm packages can not be succesfully signature checked
by an ordinary user, but root can do it. This behaviour started after
upgrading to rpm 4.0.2 from rpm 3.0.x. Several packeges show this symptom,
including xpdf, openssl, glibc, bind, ghostscript, imap-devel, netscape,
openldap, pine, python, db3 and rpm

See below for an example, with the latest pine package.

This same bug could affect also installing third party rpms?

Reproducible: Always
Steps to Reproduce:
1. Verify that you have rpm 4.0.2 installed
2.run rpm --checksig --nogpg as root, for one of the failing packages, e.g.
  for the pine-4.33-6.6x.i386.rpm
3. run the same command as normal user for the same package


Actual Results:  rpm claims that the md5 signature is bad, if it was run by
normal user. Even if
the md5sum is identical, and the signature is recognized to be good when
rpm is run by root

Expected Results:  It should be possible to verify signatures of RH errata
even if not logged in as root

$ rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm 
/tmp/pine-4.33-6.6x.i386.rpm: MD5 NOT OK
$ md5sum /tmp/pine-4.33-6.6x.i386.rpm 
56c85a7f1044e43030f5ee8bd0108515  /tmp/pine-4.33-6.6x.i386.rpm
# rpm --checksig --nogpg /tmp/pine-4.33-6.6x.i386.rpm 
/tmp/pine-4.33-6.6x.i386.rpm: md5 OK
# md5sum /tmp/pine-4.33-6.6x.i386.rpm 
56c85a7f1044e43030f5ee8bd0108515  /tmp/pine-4.33-6.6x.i386.rpm
Comment 1 Petri Piira 2001-04-16 11:48:27 EDT
This problem could be caused by the owner and group of the files inside the rpm
(cpio) archive -
I checked one of the 'good' packages, it had uid / gid 0, but one of the failing
packages had a nonzero uid/gid for all files?
Comment 2 Jeff Johnson 2001-04-16 12:07:26 EDT
This works for me:
  bash$ rpm --checksig --nogpg pine-4.33-6.6x.i386.rpm  
  pine-4.33-6.6x.i386.rpm: md5 OK

First the internal uid/gid is not the problem.

Second, the md5sum checked by rpm is not at all the
same as that generated by md5sum(1). The rpm md5sum
applies to the header+payload, and the failure of the
rpm md5sum indicates that the packages are corrupt.

You can verify that the package(s) are corrupt independently
of rpm by comparing the md5sum in the errata notice
with the md5sum you are generating using md5sum(1).

Comment 3 Petri Piira 2001-04-17 15:01:37 EDT

So, why the package is "not corrupt", when checked by root user, but the same
file is "corrupt" when checked by an ordinary user?

If the exact same file is reported to be corrupt and not corrupt by the same rpm
I'd say there us a bug in rpm - the file either is corrupt, or is not, it can't
between those states depending on who runs the rpm --checksig.

Note You need to log in before you can comment on or make changes to this bug.