Description of Problem: rpm --verify does not seem to actually check file checksums How Reproducible: 100% Steps to Reproduce: 1. "rpm -q -l gcc" to get a list of files. 2. Modify a few files. Delete or rename a few. 3. "rpm --verify gcc" Actual Results: [root@headnet bryce]# rpm --verify gcc missing /usr/share/doc/gcc-2.96/README.DWARF Expected Results: Should have reported md5 checksum errors for the files I modified
Hmmm, rpm-4.0.3-0.90 verifies md5 sums for me. What version of rpm? What platform? What package did you verify? Try the rpm package ... What files did you modify? Try adding a line to /usr/lib/rpm/macros ...
Closed for lack of input.
RPM version 4.0.3 Linux HardHat 2.4.9-21 "rpm -q -l gcc" to find a file that's in the package. Then, say, "vi /usr/share/doc/gcc-2.96/README.FRESCO". And rpm --verify gcc You've modified a file, asked rpm to verify the package, and rpm gives not a whimper. It's not actually verifying anything. Please reopen.
If you do "rpm -Va", you will see that rpm is, indeed, verifying md5 sums on files. Specific example in a moment ...
Ok, but how do you get it to verify one package? And why does rpm -V gcc pretend that gcc is ok?
bash$ rpm -qf /etc/ftphosts wu-ftpd-2.6.1-18 bash$ rpm -V wu-ftpd ..?..... c /etc/ftpaccess ..?..... c /etc/ftpconversions ..?..... c /etc/ftpgroups ..?..... c /etc/ftphosts ..?..... c /etc/ftpusers S.5....T c /etc/xinetd.d/wu-ftpd #===> Note: I forgot to run a s root, the file is unreadable, so '?' is displayed bash$ sudo vi /etc/ftphosts #===> single line added bash$ sudo rpm -V wu-ftpd S.5....T c /etc/ftphosts S.5....T c /etc/xinetd.d/wu-ftpd #===> Note: this time I remembered to run as root, '5' indicates MD5 check failed bash$ sudo vi /etc/ftphosts #===> line deleted bash$ sudo rpm -V wu-ftpd .......T c /etc/ftphosts S.5....T c /etc/xinetd.d/wu-ftpd #===> Note: the lack of '5' indicates that MD5 sums match, but 'T' indicates mfile modified
Sorry, I clobbered your response. Dunno your gcc package, but try the steps above to figger what's up. FWIW, I'm running rpm-4.0.4-0.27, dunno if that makes a difference. There's also "rpm -Vf /etc/ftphosts", i.e. verify the package that contains the file specified.
wu-fpt works for me. Same steps on gcc (and other packages) fail. Try gcc.
Works for me on a file in the gcc package: yarmouth:/usr/bin 644 bash$ rpm -Vf /usr/bin/gcc yarmouth:/usr/bin 645 bash$ rpm -V gcc yarmouth:/usr/bin 646 bash$ rpm -qf gcc gcc-3.1-0.18 yarmouth:/usr/bin 647 bash$ sudo mv gcc gcc-SAVE yarmouth:/usr/bin 648 bash$ sudo cp /dev/null gcc yarmouth:/usr/bin 649 bash$ rpm -Vf gcc SM5....T /usr/bin/gcc yarmouth:/usr/bin 650 bash$ sudo mv gcc-SAVE gcc yarmouth:/usr/bin 651 bash$ rpm -Vf gcc Note: The file you have chosen may very well have disabled file md5 verification in packaging using a directive like %verify(not md5) That's a whole different problem.
SInce I don't see a general problem with rpm, I'm gonna close this bug. Feel free to reopen new bugs against specific packages i.e. the package that's displayed if/when you do rpm -qf /you/file/path/here if you still think that there's an MD5 verification problem.
New bug report angle then: rpm --verify leads to false sense of security. If md5 sum has been disabled, it should so indicate. If --verify is not actually checking anything, why should it be telling me everything is fine? As a user of rpm I need to understand what's been checked and verified OK, and what's not been checked at all. I just checked with wu-ftp, changing a few characters in: /usr/share/doc/wu-ftpd-2.6.1/ERRATA And again, rpm claims there is no md5 error.
Hmmm, you comment might just as easily read Believing that md5 sums provide security is fooling yourself. rpm is just a tool, it does what it does, no more, no less. Yes, rpm-4.1, will do mandatory signature checking on headers that contain MD5 sums, that's a slightly less foolish approach, but then one reaches the problem of How does one know that a public key is valid?
Sure, there are two layers of analysis. The first level is the tool, and clearly the tool needs fixing if it leads a user to think a MD5 sum has been checked, when it has not been. Either get rid of the MD5 sum feature or make it work for all files all the time (indicating, somehow, what was checked and what was not). You could at the very very least document that --verify might not actually even try to check certain files. The man page gives no hint of this issue. The deeper level of analysis is not up to the tool - what's an MD5 sum worth?
Short term answer: Not gonna happen. I've already indicated what the longer term answer is.
Oh well. It sucks that a tool that lies to me about what it did.