Bug 494049 - Several F11-beta packages fail signature checking
Several F11-beta packages fail signature checking
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Panu Matilainen
Fedora Extras Quality Assurance
Depends On:
Blocks: F11Blocker/F11FinalBlocker
  Show dependency treegraph
Reported: 2009-04-03 16:57 EDT by Göran Uddeborg
Modified: 2009-05-27 03:17 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 502791 (view as bug list)
Last Closed: 2009-04-16 05:53:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Göran Uddeborg 2009-04-03 16:57:48 EDT
Description of problem:
I tried to install system-config-users from Fedora 11 Beta on a Fedora 10 system.  Yum pulled in libuser-python and libuser too for dependencies.  But then it complained that libuser-python had a bad header signature.  And after the transaction I do have new system-config-users and libuser, but no libuser-python.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Additional info:
Trying to install it directly with rpm afterwards also fails.

mimmi$$ env LANG=en_US.utf8 rpm -Kv libuser-python-0.56.9-3.x86_64.rpm 
    Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
    Header SHA1 digest: OK (c139d5960dfef34555d6be6efde83d345a52eec6)
    V3 RSA/SHA256 signature: OK, key ID d22e77f2
    MD5 digest: OK (edb3cf5f337bbc7be0cafb04a52a827c)
mimmi$$ env LANG=en_US.utf8 sudo  rpm -i libuser-python-0.56.9-3.x86_64.rpm
[sudo] password for root: 
error: libuser-python-0.56.9-3.x86_64.rpm: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: libuser-python-0.56.9-3.x86_64.rpm cannot be installed

The RPM I use is the updated Fedora 10 versions:

mimmi$$ rpm -q rpm rpm-libs

I fetched the package from several different mirrors, but they all were the same.
Comment 1 Miloslav Trmač 2009-04-07 11:17:57 EDT
Thanks for your report.

Confirmed (with RPM-GPG-KEY-fedora-test-11-primary).  libuser-python header signature verification fails, full signature verification suceeds.  Verification of both libuser signatures suceeds.

sha256sums of packages:
dc8c98a400ca0bb685a8c13fb31ac960dd65a5c7e18f42c1a3f96792b30be3b5  libuser-python-0.56.9-3.x86_64.rpm
3d0561176e8e6eec03de6a0857def3e602788b1194db192e4f2e9c9641c64841  libuser-0.56.9-3.x86_64.rpm

I didn't try to debug the problem - I'll only note that all four signature packets seem to be correctly parsed by gpg.
Comment 2 Miloslav Trmač 2009-04-07 12:13:57 EDT
(Reproduced on rawhide rpm-4.7.0-0.beta1.9.fc11.x86_64.)
Comment 3 Panu Matilainen 2009-04-08 08:14:28 EDT
Yup.. and not not limited to libuser-python, there's a bunch of packages failing the signature check, some on header, others on header+payload signatures.
Comment 4 Panu Matilainen 2009-04-09 05:04:45 EDT
This goes back all the way to switching from beecrypt to NSS in F-9 (as a Fedora-specific patch at that time). Rpm 4.4.x with beecrypt the signatures verify as OK, after switching to NSS it starts failing. Looks like some funky corner case is being missed as the vast majority of the signatures with the same key are verifying ok.
Comment 5 Panu Matilainen 2009-04-09 14:58:28 EDT
This is certainly F11 blocker material...
Comment 6 Jeff Johnson 2009-04-09 15:30:58 EDT
Hint: openpgp trims leading zeroes in its MPI representation.
One has to pad out the leading zeroes again again again.
Been there, done that, multiple times.

Just a savvy guess.
Comment 7 Eddie Lania 2009-04-11 14:24:02 EDT
error: libexif-0.6.16-3.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: obex-data-server-1:0.4.3-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
Comment 8 Eddie Lania 2009-04-11 14:26:13 EDT
error: elfutils-libs-0.140-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: c2050-0.3b-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: gtkhtml2-2.11.1-5.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
Comment 9 Jeff Johnson 2009-04-11 15:15:23 EDT
You can confirm the OpenPGP MPI padding issue mentioned
in comment #6 if you attempt signature verification with
debugging enabled. All the relevant MPI parameters will be printed
when parsed from OpenPGP packets.

The last argument to pgpPrtPkts() needs to non-zero. Rebuild
rpm with hardwired 1 if necessary.

Otherwise there's hardly a reason to report Yet More Failures,
all F11 packages will have to be vetted at this point with, say,
   rpm -Kvv *.rpm
which is likely easier than creating bugzilla entries ;-)

Just trying to save your time & effort, feel free to report
failures if you wish.
Comment 10 Eddie Lania 2009-04-13 06:48:23 EDT
If the rawhide development wishes that people continue their testing and giving feedback to the developers, I think this should be fixed a.s.a.p.

So, If I am not supposed to be creating bugzilla entries for this, I think it will only last longer before this issue is solved. Hence my reports here.
Comment 11 Panu Matilainen 2009-04-13 08:56:02 EDT
In this case listing further failing packages doesn't add any useful information. This has already been marked F11 blocker and will be looked into when back to work from Easter holidays.
Comment 12 Panu Matilainen 2009-04-16 05:53:14 EDT
Fixed in rawhide by rpm 4.7.0 final and freeze override requested for F11:
Comment 13 Paul Howarth 2009-05-26 13:33:53 EDT
This issue also needs to be fixed in earlier rpm releases. For instance, running reposync of F-11 updates on an F-10 box (or CentOS 5 with Seth's python-hashlib installed) reports a header signature failure in eclipse-nls-da-3.4.0.v20090423085802-1.fc11.noarch.rpm (see https://fedorahosted.org/rel-eng/ticket/1881)
Comment 14 Panu Matilainen 2009-05-27 01:26:21 EDT
For F10 fix, see https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5214
Comment 15 Paul Howarth 2009-05-27 02:47:52 EDT
Panu, is this already being addressed for EL-5, or should I clone the ticket for EL-5?

Thanks for the F-10 fix, WORKSFORME.
Comment 16 Panu Matilainen 2009-05-27 03:17:50 EDT
Feel free to clone for EL-5, it qualifies as a regression (caused by beecrypt -> NSS switch)

Note You need to log in before you can comment on or make changes to this bug.