Bug 488953 - rpm --resign doesn't replace existing RSA signatures
Summary: rpm --resign doesn't replace existing RSA signatures
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Panu Matilainen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-06 13:32 UTC by Mark J. Cox
Modified: 2018-11-27 20:52 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-19 13:43:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mark J. Cox 2009-03-06 13:32:54 UTC
If you resign a rpm that already has existing signatures, the payload signatures don't get replaced (even if resigning using the same key twice).

This is with rpm-4.6.0 from rawhide (but running on something other than rawhide), and using v3 RSA 2048 signing key.  Found during testing of SHA256, but same thing happens with SHA1.  

rpm --resign --define "_gpg_name 488ad38c\!" 1.rpm
rpm --resign --define "_gpg_name 488ad38c\!" 1.rpm
rpm --resign --define "_gpg_name 1325a647\!" 1.rpm

# rpm --checksig -v 1.rpm
1.rpm:
    Header V3 RSA/SHA256 signature: OK, key ID 1325a647
    Header SHA1 digest: OK (ff08bb28dee470c7ea63f6d7b0a1f35140630487)
    V3 RSA/SHA256 signature: OK, key ID 488ad38c
    V3 RSA/SHA256 signature: OK, key ID 488ad38c
    V3 RSA/SHA256 signature: OK, key ID 1325a647
    MD5 digest: OK (7ef6bb92ceacf2a3836bf9650bd9012e)

Similar to other bugs like 455169, 436812, but filing separately as we often
have to resign packages that already contain a signature, so this fix is a requirement if we move to a RSA signing key.

Comment 1 Mark J. Cox 2009-03-06 14:20:50 UTC
Ugh.  It's a left-over from the pgp==rsa, gpg==dsa days, fun.

Looks like lib/rpmchecksig.c will only remove the signatures based on what you're currently signing with.  So if you've got _signature=gpg then it'll only nuke the DSA sigs, _signature=pgp it'll only nuke the RSA ones.

This really needs something other than this hack, but this hack works for me for now :)

 --- lib/rpmchecksig.c~  2008-12-05 11:49:22.000000000 +0000
+++ lib/rpmchecksig.c   2009-02-24 23:11:10.000000000 +0000
@@ -278,6 +278,8 @@
                break;
            case RPMSIGTAG_GPG:
                xx = headerDel(sigh, RPMSIGTAG_DSA);
+               xx = headerDel(sigh, RPMSIGTAG_PGP);
+               xx = headerDel(sigh, RPMSIGTAG_RSA);
            case RPMSIGTAG_PGP5:
            case RPMSIGTAG_PGP:
                xx = headerDel(sigh, RPMSIGTAG_RSA);

Comment 2 Bug Zapper 2009-06-09 11:57:01 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Ben Webb 2009-06-10 23:36:31 UTC
I think I am running into the same problem (or something very similar - if not, please let me know and I can open a new bug report). This is with latest Fedora 11, release. When I --resign an already signed package, the old signature is not removed. Worse, rpm -K now reports that old signature as bad. I noticed this when trying to resign a Fusion RPM package with my own key, but I can certainly try to reproduce this with a different setup if you cannot reproduce.

$ rpm -vv -K kmod-nvidia-180.51-1.fc11.8.x86_64.rpm
...
kmod-nvidia-180.51-1.fc11.8.x86_64.rpm:
    Header V3 RSA/SHA256 signature: OK, key ID 8dc43844
    Header SHA1 digest: OK (2422bfdfc67c0f178f912a4f2094be6209eacedc)
    V3 RSA/SHA256 signature: OK, key ID 8dc43844
    MD5 digest: OK (b927403aab6ac687b487dd4de67c55e0)

$ rpm --resign kmod-nvidia-180.51-1.fc11.8.x86_64.rpm 

$ rpm -vv -K kmod-nvidia-180.51-1.fc11.8.x86_64.rpm
...
kmod-nvidia-180.51-1.fc11.8.x86_64.rpm:
    Header V4 DSA signature: OK, key ID 745e6093
    Header SHA1 digest: OK (2422bfdfc67c0f178f912a4f2094be6209eacedc)
    V3 RSA/SHA256 signature: BAD, key ID 8dc43844
    MD5 digest: OK (b927403aab6ac687b487dd4de67c55e0)
    V4 DSA signature: OK, key ID 745e6093

It looks to me like the Fusion RPM signature (from key 8dc43844) is not being completely replaced by the --resign with my key (745e6093).

Comment 4 Ben Webb 2009-07-15 16:46:00 UTC
FWIW, I rebuilt the rpm SRPM (rpm-4.7.0-2.fc11) including the patch given in comment 1, and the resulting rpm binary will now successfully resign RPMs - the original signature is correctly removed. So this fix works for me.

Comment 5 Bug Zapper 2010-04-27 13:07:18 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Chris 2010-05-13 18:30:12 UTC
I believe this bug is still occurring on F12 with rpm-4.7.2-1. For example, I had an rpm which was incorrectly signed so I wanted to resign it with "rpm --resign". Now I have lots of signatures:

[chris@buildfc12 rpms]$ rpm -Kvv alarmplugin-1.2.3-0.fc12.i686.rpm 
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb                                                                  
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0                               
D: locked   db index       /var/lib/rpm/Packages                                               
D: opening  db index       /var/lib/rpm/Name rdonly mode=0x0                                   
D:  read h#     931 Header sanity check: OK                                                    
D: added key gpg-pubkey-57bbccba-4a6f97af to keyring                                           
D:  read h#    1333 Header sanity check: OK                                                    
D: added key gpg-pubkey-16ca1a56-4a100959 to keyring                                           
D:  read h#    1355 Header sanity check: OK                                                    
D: added key gpg-pubkey-031dca91-4b5588c8 to keyring                                           
D:  read h#    1361 Header sanity check: OK                                                    
D: added key gpg-pubkey-a3a882c1-4a1009ef to keyring                                           
D:  read h#    1411 Header sanity check: OK                                                    
D: added key gpg-pubkey-031dca91-4b5588c8 to keyring                                           
D: Using legacy gpg-pubkey(s) from rpmdb                                                       
D: Expected size:        55548 = lead(96)+sigs(1692)+pad(4)+data(53756)
D:   Actual size:        55548
alarmplugin-1.2.3-0.fc12.i686.rpm:
    Header V4 RSA/SHA1 signature: NOKEY, key ID 60a5c722
    Header SHA1 digest: OK (611dfc832143b649a3bcc48d965c267431e2e43a)
    V4 RSA/SHA1 signature: OK, key ID 031dca91
    V4 RSA/SHA1 signature: NOKEY, key ID 60a5c722
    V4 RSA/SHA1 signature: NOKEY, key ID 60a5c722
    V4 RSA/SHA1 signature: NOKEY, key ID 60a5c722
    MD5 digest: OK (0bd198903a6a5d8d51b630894fe25ff1)
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages

Comment 7 Chris 2010-05-13 21:02:59 UTC
From looking at the source I've found out that you can use --delsign to remove all signatures and then just resign. This is not in the man page!

Comment 8 Panu Matilainen 2010-09-29 06:56:33 UTC
FWIW, this has finally been fixed upstream now (by properly comparing the signatures instead of looking at silly macro values that have little to do with reality)

Comment 9 Panu Matilainen 2011-01-19 13:43:00 UTC
Fixed in rawhide as of rpm-4.9.0-0.beta1.1.fc15.


Note You need to log in before you can comment on or make changes to this bug.