Red Hat Bugzilla – Bug 502791
Signature checking regression caused by beecrypt -> NSS switch
Last modified: 2010-02-23 07:24:22 EST
+++ This bug was initially created as a clone of Bug #494049 +++
Description of problem:
I tried to install system-config-users from Fedora 11 Beta on a Fedora 10 system. Yum pulled in libuser-python and libuser too for dependencies. But then it complained that libuser-python had a bad header signature. And after the transaction I do have new system-config-users and libuser, but no libuser-python.
Version-Release number of selected component (if applicable):
Trying to install it directly with rpm afterwards also fails.
mimmi$$ env LANG=en_US.utf8 rpm -Kv libuser-python-0.56.9-3.x86_64.rpm
Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
Header SHA1 digest: OK (c139d5960dfef34555d6be6efde83d345a52eec6)
V3 RSA/SHA256 signature: OK, key ID d22e77f2
MD5 digest: OK (edb3cf5f337bbc7be0cafb04a52a827c)
mimmi$$ env LANG=en_US.utf8 sudo rpm -i libuser-python-0.56.9-3.x86_64.rpm
[sudo] password for root:
error: libuser-python-0.56.9-3.x86_64.rpm: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: libuser-python-0.56.9-3.x86_64.rpm cannot be installed
The RPM I use is the updated Fedora 10 versions:
mimmi$$ rpm -q rpm rpm-libs
I fetched the package from several different mirrors, but they all were the same.
--- Additional comment from email@example.com on 2009-04-07 11:17:57 EDT ---
Thanks for your report.
Confirmed (with RPM-GPG-KEY-fedora-test-11-primary). libuser-python header signature verification fails, full signature verification suceeds. Verification of both libuser signatures suceeds.
sha256sums of packages:
I didn't try to debug the problem - I'll only note that all four signature packets seem to be correctly parsed by gpg.
--- Additional comment from firstname.lastname@example.org on 2009-04-07 12:13:57 EDT ---
(Reproduced on rawhide rpm-4.7.0-0.beta1.9.fc11.x86_64.)
--- Additional comment from email@example.com on 2009-04-08 08:14:28 EDT ---
Yup.. and not not limited to libuser-python, there's a bunch of packages failing the signature check, some on header, others on header+payload signatures.
--- Additional comment from firstname.lastname@example.org on 2009-04-09 05:04:45 EDT ---
This goes back all the way to switching from beecrypt to NSS in F-9 (as a Fedora-specific patch at that time). Rpm 4.4.x with beecrypt the signatures verify as OK, after switching to NSS it starts failing. Looks like some funky corner case is being missed as the vast majority of the signatures with the same key are verifying ok.
--- Additional comment from email@example.com on 2009-04-09 14:58:28 EDT ---
This is certainly F11 blocker material...
--- Additional comment from firstname.lastname@example.org on 2009-04-09 15:30:58 EDT ---
Hint: openpgp trims leading zeroes in its MPI representation.
One has to pad out the leading zeroes again again again.
Been there, done that, multiple times.
Just a savvy guess.
--- Additional comment from email@example.com on 2009-04-11 14:24:02 EDT ---
error: libexif-0.6.16-3.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: obex-data-server-1:0.4.3-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
--- Additional comment from firstname.lastname@example.org on 2009-04-11 14:26:13 EDT ---
error: elfutils-libs-0.140-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: c2050-0.3b-2.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
error: gtkhtml2-2.11.1-5.fc11.i586: Header V3 RSA/SHA256 signature: BAD, key ID d22e77f2
--- Additional comment from email@example.com on 2009-04-11 15:15:23 EDT ---
You can confirm the OpenPGP MPI padding issue mentioned
in comment #6 if you attempt signature verification with
debugging enabled. All the relevant MPI parameters will be printed
when parsed from OpenPGP packets.
The last argument to pgpPrtPkts() needs to non-zero. Rebuild
rpm with hardwired 1 if necessary.
Otherwise there's hardly a reason to report Yet More Failures,
all F11 packages will have to be vetted at this point with, say,
rpm -Kvv *.rpm
which is likely easier than creating bugzilla entries ;-)
Just trying to save your time & effort, feel free to report
failures if you wish.
--- Additional comment from firstname.lastname@example.org on 2009-04-13 06:48:23 EDT ---
If the rawhide development wishes that people continue their testing and giving feedback to the developers, I think this should be fixed a.s.a.p.
So, If I am not supposed to be creating bugzilla entries for this, I think it will only last longer before this issue is solved. Hence my reports here.
--- Additional comment from email@example.com on 2009-04-13 08:56:02 EDT ---
In this case listing further failing packages doesn't add any useful information. This has already been marked F11 blocker and will be looked into when back to work from Easter holidays.
--- Additional comment from firstname.lastname@example.org on 2009-04-16 05:53:14 EDT ---
Fixed in rawhide by rpm 4.7.0 final and freeze override requested for F11:
--- Additional comment from email@example.com on 2009-05-26 13:33:53 EDT ---
This issue also needs to be fixed in earlier rpm releases. For instance, running reposync of F-11 updates on an F-10 box (or CentOS 5 with Seth's python-hashlib installed) reports a header signature failure in eclipse-nls-da-3.4.0.v20090423085802-1.fc11.noarch.rpm (see https://fedorahosted.org/rel-eng/ticket/1881)
--- Additional comment from firstname.lastname@example.org on 2009-05-27 01:26:21 EDT ---
For F10 fix, see https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5214
--- Additional comment from email@example.com on 2009-05-27 02:47:52 EDT ---
Panu, is this already being addressed for EL-5, or should I clone the ticket for EL-5?
Thanks for the F-10 fix, WORKSFORME.
--- Additional comment from firstname.lastname@example.org on 2009-05-27 03:17:50 EDT ---
Feel free to clone for EL-5, it qualifies as a regression (caused by beecrypt -> NSS switch)
adding qa ack +
testing procedure up to Panu's comment #1 with affected F11 aspell-is pkg:
rpm-4.4.2-48.el5 works OK
rpm-18.104.22.168-9.el5 or rpm-22.214.171.124-14.el5.x86_64 :
# rpm --import http://download.englab.brq.redhat.com/pub/fedora/linux/releases/test/11-Preview/Fedora/x86_64/os/RPM-GPG-KEY-fedora-test-11-primary
# wget http://download.fedora.redhat.com/pub/fedora/linux/releases/11/Fedora/x86_64/os/Packages/aspell-is-0.51.1-6.fc11.x86_64.rpm
# rpm -Kv aspell-is-0.51.1-6.fc11.x86_64.rpm
Header V3 RSA/SHA256 signature: OK, key ID d22e77f2
Header SHA1 digest: OK (c642b59cefd92f4540be472add23e2bc1f7edd9f)
V3 RSA/SHA256 signature: BAD, key ID d22e77f2
MD5 digest: OK (a2b550b89f9f945cc8256215f6764dd2)
.qa.[root@x86-64-5s-2-m1 tmp]# echo $?
Fix built into rpm-126.96.36.199-15.el5
(In reply to comment #5)
> Fix built into rpm-188.8.131.52-15.el5
Is there somewhere I can get a copy of this (x86_64) to try it out?
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.