Red Hat Bugzilla – Bug 494049
Several F11-beta packages fail signature checking
Last modified: 2009-05-27 03:17:50 EDT
Description of problem:
I tried to install system-config-users from Fedora 11 Beta on a Fedora 10 system. Yum pulled in libuser-python and libuser too for dependencies. But then it complained that libuser-python had a bad header signature. And after the transaction I do have new system-config-users and libuser, but no libuser-python.
Version-Release number of selected component (if applicable):
Trying to install it directly with rpm afterwards also fails.
mimmi$$ env LANG=en_US.utf8 rpm -Kv libuser-python-0.56.9-3.x86_64.rpm
Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
Header SHA1 digest: OK (c139d5960dfef34555d6be6efde83d345a52eec6)
V3 RSA/SHA256 signature: OK, key ID d22e77f2
MD5 digest: OK (edb3cf5f337bbc7be0cafb04a52a827c)
mimmi$$ env LANG=en_US.utf8 sudo rpm -i libuser-python-0.56.9-3.x86_64.rpm
[sudo] password for root:
error: libuser-python-0.56.9-3.x86_64.rpm: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: libuser-python-0.56.9-3.x86_64.rpm cannot be installed
The RPM I use is the updated Fedora 10 versions:
mimmi$$ rpm -q rpm rpm-libs
I fetched the package from several different mirrors, but they all were the same.
Thanks for your report.
Confirmed (with RPM-GPG-KEY-fedora-test-11-primary). libuser-python header signature verification fails, full signature verification suceeds. Verification of both libuser signatures suceeds.
sha256sums of packages:
I didn't try to debug the problem - I'll only note that all four signature packets seem to be correctly parsed by gpg.
(Reproduced on rawhide rpm-4.7.0-0.beta1.9.fc11.x86_64.)
Yup.. and not not limited to libuser-python, there's a bunch of packages failing the signature check, some on header, others on header+payload signatures.
This goes back all the way to switching from beecrypt to NSS in F-9 (as a Fedora-specific patch at that time). Rpm 4.4.x with beecrypt the signatures verify as OK, after switching to NSS it starts failing. Looks like some funky corner case is being missed as the vast majority of the signatures with the same key are verifying ok.
This is certainly F11 blocker material...
Hint: openpgp trims leading zeroes in its MPI representation.
One has to pad out the leading zeroes again again again.
Been there, done that, multiple times.
Just a savvy guess.
error: libexif-0.6.16-3.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: obex-data-server-1:0.4.3-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: elfutils-libs-0.140-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: c2050-0.3b-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: gtkhtml2-2.11.1-5.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
You can confirm the OpenPGP MPI padding issue mentioned
in comment #6 if you attempt signature verification with
debugging enabled. All the relevant MPI parameters will be printed
when parsed from OpenPGP packets.
The last argument to pgpPrtPkts() needs to non-zero. Rebuild
rpm with hardwired 1 if necessary.
Otherwise there's hardly a reason to report Yet More Failures,
all F11 packages will have to be vetted at this point with, say,
rpm -Kvv *.rpm
which is likely easier than creating bugzilla entries ;-)
Just trying to save your time & effort, feel free to report
failures if you wish.
If the rawhide development wishes that people continue their testing and giving feedback to the developers, I think this should be fixed a.s.a.p.
So, If I am not supposed to be creating bugzilla entries for this, I think it will only last longer before this issue is solved. Hence my reports here.
In this case listing further failing packages doesn't add any useful information. This has already been marked F11 blocker and will be looked into when back to work from Easter holidays.
Fixed in rawhide by rpm 4.7.0 final and freeze override requested for F11:
This issue also needs to be fixed in earlier rpm releases. For instance, running reposync of F-11 updates on an F-10 box (or CentOS 5 with Seth's python-hashlib installed) reports a header signature failure in eclipse-nls-da-3.4.0.v20090423085802-1.fc11.noarch.rpm (see https://fedorahosted.org/rel-eng/ticket/1881)
For F10 fix, see https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5214
Panu, is this already being addressed for EL-5, or should I clone the ticket for EL-5?
Thanks for the F-10 fix, WORKSFORME.
Feel free to clone for EL-5, it qualifies as a regression (caused by beecrypt -> NSS switch)