From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461) Description of problem: When an rpm packages is signed with multiple gpg signatures it will complain on any use of that package that length is invalid, and rpm -K that the signature is invalid. For example, pygnome-devel* package, signed by RedHat and then with rpm --addsign signed also by me, this is output of rpm -K: warning: Expected size: 15968 = lead(96)+sigs(230)+pad(2)+data (15640) warning: Actual size: 16000 error: pygnome-devel-1.4.1-3.i386.rpm: No signature available --- the same complaint on install (but it will install it). On RH6.2 with rpm-4.0.2-6x there are no problems and it works there (i.e. rpm package with two signatures works just fine on rh6.2, when moved to 7.2 again problems so the problem is in rpm-4.0.3-1.03 on 7.2). Version-Release number of selected component (if applicable): rpm-4.0.3-1.03 How reproducible: Always Steps to Reproduce: 1. Pick a signed package and add another gpg signature (--addsign). 2. Verify package (rpm -K) or install it. Actual Results: If installing it will install but complain about invalid length, if verified it will again complain about invalid length but also about invalid signature. Expected Results: It should confirm validity of both signatures... Additional info:
Uh, scratch the part about multiple signatures working fine in RH6.2's 4.0.2 rpm - it just doesn't complain about the length, as rpm -vv -K shows (i.e. D: Expected size: 15968 = lead(96)+sigs(230)+pad(2)+data(15640) D: Actual size: 16000 ). At least it will not abort and will check whatever signatures it can still find.
Ok - checked the code and it seems that rpm gets confused when more than one signature of same type exists (e.g. two gpg - this is what I was trying to get to work). Plus there is some confusion in rpmReadSignature def in signature.c code about sigSize -= (16 + 16) that created length errors when more than one gpg signature exists (apparently sigSize shouldn't be decreased in that case? bu?). It would still useful to be able to have multiple signatures...
Yup, 'twould be nice to be able to support multiple signatures. Too bad rpm doesn't, the fundamental issue is the lack of a data type for an array of variable length objects. Adding a new data type creates all sorts of legacy havoc, and anything else is, well, a hack. The right thing to do is to rip the entire package size check, it's rather stiff, unforgiving, and feeble all at the same time. This is already in process.