Bug 56672 – Length errors when rpm signed with multiple signatures

Bug 56672 - Length errors when rpm signed with multiple signatures

Summary:	Length errors when rpm signed with multiple signatures

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	rpm (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Jeff Johnson
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2001-11-23 17:57 EST by Josko Plazonic
Modified:	2008-05-01 11:38 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-11-23 22:47:31 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Josko Plazonic 2001-11-23 17:57:00 EST

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

Description of problem:
When an rpm packages is signed with multiple gpg signatures it will 
complain on any use of that package that length is invalid, and rpm -K 
that the signature is invalid.  For example, pygnome-devel* package, 
signed by RedHat and then with rpm --addsign signed also by me, this is 
output of rpm -K:
warning: Expected size:        15968 = lead(96)+sigs(230)+pad(2)+data
(15640)
warning:   Actual size:        16000
error: pygnome-devel-1.4.1-3.i386.rpm: No signature available
---
the same complaint on install (but it will install it).  On RH6.2 with 
rpm-4.0.2-6x there are no problems and it works there (i.e. rpm package 
with two signatures works just fine on rh6.2, when moved to 7.2 again 
problems so the problem is in rpm-4.0.3-1.03 on 7.2).

Version-Release number of selected component (if applicable):
rpm-4.0.3-1.03 

How reproducible:
Always

Steps to Reproduce:
1. Pick a signed package and add another gpg signature (--addsign).
2. Verify package (rpm -K) or install it.

	

Actual Results:  If installing it will install but complain about invalid 
length, if verified it will again complain about invalid length but also 
about invalid signature.

Expected Results:  It should confirm validity of both signatures...

Additional info:

Comment 1 Josko Plazonic 2001-11-23 18:31:33 EST

Uh, scratch the part about multiple signatures working fine in RH6.2's 4.0.2 
rpm - it just doesn't complain about the length, as rpm -vv -K shows (i.e. 
D: Expected size:        15968 = lead(96)+sigs(230)+pad(2)+data(15640)
D:   Actual size:        16000
).  At least it will not abort and will check whatever signatures it can still 
find.

Comment 2 Josko Plazonic 2001-11-23 22:47:25 EST

Ok - checked the code and it seems that rpm gets confused when more than one 
signature of same type exists (e.g. two gpg - this is what I was trying to get 
to work).  Plus there is some confusion in rpmReadSignature def in signature.c 
code about sigSize -= (16 + 16) that created length errors when more than one 
gpg signature exists (apparently sigSize shouldn't be decreased in that case? 
bu?).

It would still useful to be able to have multiple signatures...

Comment 3 Jeff Johnson 2001-11-24 08:56:49 EST

Yup, 'twould be nice to be able to support multiple signatures.
Too bad rpm doesn't, the fundamental issue is the lack of a
data type for an array of variable length objects. Adding
a new data type creates all sorts of legacy havoc, and anything
else is, well, a hack.

The right thing to do is to rip the entire package size check, it's rather
stiff, unforgiving, and feeble all at the same time. This is already
in process.

Note You need to log in before you can comment on or make changes to this bug.