+++ This bug was initially created as a clone of Bug #494049 +++

Description of problem:
I tried to install system-config-users from Fedora 11 Beta on a Fedora 10 system.  Yum pulled in libuser-python and libuser too for dependencies.  But then it complained that libuser-python had a bad header signature.  And after the transaction I do have new system-config-users and libuser, but no libuser-python.

Version-Release number of selected component (if applicable):
libuser-python-0.56.9-3.x86_64

How reproducible:
Every time

Additional info:
Trying to install it directly with rpm afterwards also fails.

mimmi$$ env LANG=en_US.utf8 rpm -Kv libuser-python-0.56.9-3.x86_64.rpm 
libuser-python-0.56.9-3.x86_64.rpm:
    Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
    Header SHA1 digest: OK (c139d5960dfef34555d6be6efde83d345a52eec6)
    V3 RSA/SHA256 signature: OK, key ID d22e77f2
    MD5 digest: OK (edb3cf5f337bbc7be0cafb04a52a827c)
mimmi$$ env LANG=en_US.utf8 sudo  rpm -i libuser-python-0.56.9-3.x86_64.rpm
[sudo] password for root: 
error: libuser-python-0.56.9-3.x86_64.rpm: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: libuser-python-0.56.9-3.x86_64.rpm cannot be installed

The RPM I use is the updated Fedora 10 versions:

mimmi$$ rpm -q rpm rpm-libs
rpm-4.6.0-1.fc10.x86_64
rpm-libs-4.6.0-1.fc10.x86_64

I fetched the package from several different mirrors, but they all were the same.

--- Additional comment from mitr on 2009-04-07 11:17:57 EDT ---

Thanks for your report.

Confirmed (with RPM-GPG-KEY-fedora-test-11-primary).  libuser-python header signature verification fails, full signature verification suceeds.  Verification of both libuser signatures suceeds.

sha256sums of packages:
dc8c98a400ca0bb685a8c13fb31ac960dd65a5c7e18f42c1a3f96792b30be3b5  libuser-python-0.56.9-3.x86_64.rpm
3d0561176e8e6eec03de6a0857def3e602788b1194db192e4f2e9c9641c64841  libuser-0.56.9-3.x86_64.rpm

I didn't try to debug the problem - I'll only note that all four signature packets seem to be correctly parsed by gpg.

--- Additional comment from mitr on 2009-04-07 12:13:57 EDT ---

(Reproduced on rawhide rpm-4.7.0-0.beta1.9.fc11.x86_64.)

--- Additional comment from pmatilai on 2009-04-08 08:14:28 EDT ---

Yup.. and not not limited to libuser-python, there's a bunch of packages failing the signature check, some on header, others on header+payload signatures.

--- Additional comment from pmatilai on 2009-04-09 05:04:45 EDT ---

This goes back all the way to switching from beecrypt to NSS in F-9 (as a Fedora-specific patch at that time). Rpm 4.4.x with beecrypt the signatures verify as OK, after switching to NSS it starts failing. Looks like some funky corner case is being missed as the vast majority of the signatures with the same key are verifying ok.

--- Additional comment from pmatilai on 2009-04-09 14:58:28 EDT ---

This is certainly F11 blocker material...

--- Additional comment from n3npq on 2009-04-09 15:30:58 EDT ---

Hint: openpgp trims leading zeroes in its MPI representation.
One has to pad out the leading zeroes again again again.
Been there, done that, multiple times.

Just a savvy guess.

--- Additional comment from eddie on 2009-04-11 14:24:02 EDT ---

error: libexif-0.6.16-3.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: obex-data-server-1:0.4.3-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2

--- Additional comment from eddie on 2009-04-11 14:26:13 EDT ---

error: elfutils-libs-0.140-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: c2050-0.3b-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: gtkhtml2-2.11.1-5.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2

--- Additional comment from n3npq on 2009-04-11 15:15:23 EDT ---

You can confirm the OpenPGP MPI padding issue mentioned
in comment #6 if you attempt signature verification with
debugging enabled. All the relevant MPI parameters will be printed
when parsed from OpenPGP packets.

The last argument to pgpPrtPkts() needs to non-zero. Rebuild
rpm with hardwired 1 if necessary.

Otherwise there's hardly a reason to report Yet More Failures,
all F11 packages will have to be vetted at this point with, say,
   rpm -Kvv *.rpm
which is likely easier than creating bugzilla entries ;-)

Just trying to save your time & effort, feel free to report
failures if you wish.

--- Additional comment from eddie on 2009-04-13 06:48:23 EDT ---

If the rawhide development wishes that people continue their testing and giving feedback to the developers, I think this should be fixed a.s.a.p.

So, If I am not supposed to be creating bugzilla entries for this, I think it will only last longer before this issue is solved. Hence my reports here.

--- Additional comment from pmatilai on 2009-04-13 08:56:02 EDT ---

In this case listing further failing packages doesn't add any useful information. This has already been marked F11 blocker and will be looked into when back to work from Easter holidays.

--- Additional comment from pmatilai on 2009-04-16 05:53:14 EDT ---

Fixed in rawhide by rpm 4.7.0 final and freeze override requested for F11:
https://fedorahosted.org/rel-eng/ticket/1480

--- Additional comment from paul on 2009-05-26 13:33:53 EDT ---

This issue also needs to be fixed in earlier rpm releases. For instance, running reposync of F-11 updates on an F-10 box (or CentOS 5 with Seth's python-hashlib installed) reports a header signature failure in eclipse-nls-da-3.4.0.v20090423085802-1.fc11.noarch.rpm (see https://fedorahosted.org/rel-eng/ticket/1881)

--- Additional comment from pmatilai on 2009-05-27 01:26:21 EDT ---

For F10 fix, see https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5214

--- Additional comment from paul on 2009-05-27 02:47:52 EDT ---

Panu, is this already being addressed for EL-5, or should I clone the ticket for EL-5?

Thanks for the F-10 fix, WORKSFORME.

--- Additional comment from pmatilai on 2009-05-27 03:17:50 EDT ---

Feel free to clone for EL-5, it qualifies as a regression (caused by beecrypt -> NSS switch)