Bug 490613 - No support for SHA-256: cpio: MD5 sum mismatch
Summary: No support for SHA-256: cpio: MD5 sum mismatch
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: rpm
Version: 5.4
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Packaging Maintenance Team
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-17 10:19 UTC by Graham Leggett
Modified: 2013-03-07 11:15 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-07 11:15:50 UTC


Attachments (Terms of Use)

Description Graham Leggett 2009-03-17 10:19:35 UTC
When an attempt is made to build an RPM sourced from Fedora 11, the SRPM is reported as corrupt:

[minfrin@chandler ~]$ rpmbuild --rebuild jabberd-2.2.7.1-1.fc11.src.rpm 
Installing jabberd-2.2.7.1-1.fc11.src.rpm
warning: InstallSourcePackage: Header V3 RSA/SHA256 signature: NOKEY, key ID
d22e77f2
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
error: unpacking of archive failed on file
/home/chandler/minfrin/rpm/SOURCES/jabberd;49bedd3d: cpio: MD5 sum mismatch
error: jabberd-2.2.7.1-1.fc11.src.rpm cannot be installed  

The cause as I understand it is this:

https://fedoraproject.org/wiki/Features/StrongerHashes

I would have expected to see stronger hashes backported to RHEL5 *before* Fedora had made the first releases of Fedora 11, so as to prevent RHEL5 users going on a wild goose chase thinking mirrors are corrupt.

Comment 1 Panu Matilainen 2009-03-18 14:38:27 UTC
There's no guarantee whatsoever that a given RHEL version can be used to build or install Fedora packages.

The only bug here is that rpmlib() dependencies are not checked for source rpms.

Comment 2 Aleksey Nogin 2009-04-03 03:59:24 UTC
Not being able to build "as is" is one thing. Not being able to even install the .src.rpm in order to use it as a starting point in getting some extra software into an RHEL box is IMHO a much bigger issue.

Comment 3 Kirby Zhou 2009-04-22 16:20:45 UTC
I have encountered the same problem which Aleksey Nogin suffer from.
I donot think it is a acceptable issue.

Comment 4 Aleksey Nogin 2009-04-22 16:37:09 UTC
A workaround is to use rpm2cpio and then extract the cpio archive manually. Still, quite annoying...

Comment 5 Kirby Zhou 2009-04-23 02:46:10 UTC
To Aleksey, "rpm -ivh --nomd5" should works for you. But it's still to ugly.

Comment 6 Jim Radford 2009-05-10 02:33:30 UTC
You can build backwards compatible (i.e. md5) source rpms on fedora 11 that will work on rhel/centos using the following options to rpmbuild.

  rpmbuild -bs \
   --define "_source_filedigest_algorithm md5" \
   --define "_binary_filedigest_algorithm md5" \
   package.spec

This will for example allow the resulting source rpm to be rebuilt for rhel/centos using mock.

Comment 8 Aleksey Nogin 2009-11-04 20:31:53 UTC
Still there in 5.4 :-(

Comment 9 Matthew Miller 2010-02-05 18:44:03 UTC
I'd really like to see this; we often use Fedora source RPMs as a starting point for work on EL 5 systems.

Comment 10 Gerrit Slomma 2010-05-18 21:15:46 UTC
and still there in RHEL5.5
trying to look into ovirt...

Comment 11 lindahl 2010-06-28 18:54:59 UTC
Every time I go to rebuild a fedora rpm in rhel, I curse this bug.

Comment 12 Leon Keijser 2010-06-28 20:07:21 UTC
(In reply to comment #11)
> Every time I go to rebuild a fedora rpm in rhel, I curse this bug.    

I use Jim Radford's suggestion in a simple script. Works nice enough.

#!/bin/bash
if [ -z $1 ]; then
	echo Usage $0 package.spec
else
	rpmbuild -bs \
	--define "_source_filedigest_algorithm md5" \
	--define "_binary_filedigest_algorithm md5" \
	$1
fi

Comment 13 Edouard Bourguignon 2010-09-30 13:03:17 UTC
I use rpmbuild-md5 which works great

Comment 14 Sergio Monteiro Basto 2011-03-25 03:07:55 UTC
Hi,
I need work some package on a rhel 5.x ,from bug #499385, "Fedora 11 is switching to sha256 checksums instead of md5"
my question is, if I update rpm package from a newer fedora into rhel , still can use package from rhel ? rpm is backward compatible ?

btw and yum   ? 
 yum --enablerepo=fedora14 list
fedora14/primary_db                                                                                                 |  14 MB     00:04     
http://ftp.up.pt/fedora/releases/14/Everything/x86_64/os/repodata/190919419ab3582cb090d8006b7fdd02a17616d6df76d426b5d26d9a3ceff158-primary.sqlite.bz2: [Errno -3] Error performing checksum

update rpm solve this performing checksum ?

Comment 15 Yury V. Zaytsev 2011-07-16 19:59:33 UTC
FYI: The SRPMs that contain rpm with back-ported strong hashes + xz payload support are available from the Fedora Infrastructure repositories:

http://infrastructure.fedoraproject.org/builder-rpms/SRPMS/

I've been using those for a very long time on my builders and they work nicely. It would be great if they were officially accepted into RHEL5.

Most of the work has been done already, and these RPMs are in production on Fedora builders, so hopefully there will be some progress soon.

Thanks!

Comment 16 Sergio Monteiro Basto 2011-07-18 01:45:11 UTC
(In reply to comment #15)
> FYI: The SRPMs that contain rpm with back-ported strong hashes + xz payload
> support are available from the Fedora Infrastructure repositories:

with command "rpm -qp rpm-4.6.0-4.0.notting.1.el5.src.rpm --changelog | head"
I saw that 4.6.0-4.0.notting.1 is an update of 4.6.0-4.0.mitr.1, which is not clear to me.

Thanks , I also agree that would be great if they were officially accepted into RHEL5.

Comment 17 Juha Tuomala 2011-07-18 15:17:35 UTC
(In reply to comment #15)
> It would be great if they were officially accepted into RHEL5.

Agreed.

Comment 18 Yury V. Zaytsev 2011-09-21 16:09:02 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > FYI: The SRPMs that contain rpm with back-ported strong hashes + xz payload
> > support are available from the Fedora Infrastructure repositories:
> 
> with command "rpm -qp rpm-4.6.0-4.0.notting.1.el5.src.rpm --changelog | head"
> I saw that 4.6.0-4.0.notting.1 is an update of 4.6.0-4.0.mitr.1, which is not
> clear to me.

What exactly is not clear to you? If I remember correctly, the mitr.1 version was the version that had the backported support for SHA hashes, before XZ payloads were introduced (that appeared in notting.1).

Comment 19 Sergio Monteiro Basto 2011-09-21 20:38:35 UTC
(In reply to comment #18)
what wasn't clear, which package is the newer ? I clear it up.
My English was not the best, where I wrote "which is not
clear to me" should wrote in past "which was not clear".

Thanks,

Comment 20 Yury V. Zaytsev 2011-09-21 21:21:51 UTC
(In reply to comment #19)
>
> what wasn't clear, which package is the newer ? I clear it up.

'n' comes after 'm', so 'notting' is newer than 'mitr' ;-)

Comment 21 Per Sjoholm 2012-01-07 12:19:02 UTC
A Fix for building
Update mock to newer version  for --buildsrpm --spec --sources
wget http://kojipkgs.fedoraproject.org/packages/mock/1.0.25/1.el5/src/mock-1.0.25-1.el5.src.rpm

mock mock-1.0.25-1.el5.src.rpm

Install mock

Install x.src.rpm with rpm2cpio or rpm -ivh --nomd5 x.src.rpm

mock  mock -r epel-5-x86_64 --buildsrpm --spec xxx/xxx.spec --sources xxx/

Or use mock with git

Comment 22 Panu Matilainen 2013-03-07 11:15:50 UTC
This request was evaluated by Red Hat Engineering for inclusion in a Red Hat Enterprise Linux maintenance release.

Red Hat does not currently plan to provide this change in a Red Hat Enterprise Linux update release for currently deployed products.

With the goal of minimizing risk of change for deployed systems, and in response to customer and partner requirements, Red Hat takes a conservative approach when evaluating enhancements for inclusion in maintenance updates for currently deployed products. The primary objectives of update releases are to enable new hardware platform support and to resolve critical defects.


Note You need to log in before you can comment on or make changes to this bug.