Red Hat Bugzilla – Bug 56672
Length errors when rpm signed with multiple signatures
Last modified: 2008-05-01 11:38:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Description of problem:
When an rpm packages is signed with multiple gpg signatures it will
complain on any use of that package that length is invalid, and rpm -K
that the signature is invalid. For example, pygnome-devel* package,
signed by RedHat and then with rpm --addsign signed also by me, this is
output of rpm -K:
warning: Expected size: 15968 = lead(96)+sigs(230)+pad(2)+data
warning: Actual size: 16000
error: pygnome-devel-1.4.1-3.i386.rpm: No signature available
the same complaint on install (but it will install it). On RH6.2 with
rpm-4.0.2-6x there are no problems and it works there (i.e. rpm package
with two signatures works just fine on rh6.2, when moved to 7.2 again
problems so the problem is in rpm-4.0.3-1.03 on 7.2).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Pick a signed package and add another gpg signature (--addsign).
2. Verify package (rpm -K) or install it.
Actual Results: If installing it will install but complain about invalid
length, if verified it will again complain about invalid length but also
about invalid signature.
Expected Results: It should confirm validity of both signatures...
Uh, scratch the part about multiple signatures working fine in RH6.2's 4.0.2
rpm - it just doesn't complain about the length, as rpm -vv -K shows (i.e.
D: Expected size: 15968 = lead(96)+sigs(230)+pad(2)+data(15640)
D: Actual size: 16000
). At least it will not abort and will check whatever signatures it can still
Ok - checked the code and it seems that rpm gets confused when more than one
signature of same type exists (e.g. two gpg - this is what I was trying to get
to work). Plus there is some confusion in rpmReadSignature def in signature.c
code about sigSize -= (16 + 16) that created length errors when more than one
gpg signature exists (apparently sigSize shouldn't be decreased in that case?
It would still useful to be able to have multiple signatures...
Yup, 'twould be nice to be able to support multiple signatures.
Too bad rpm doesn't, the fundamental issue is the lack of a
data type for an array of variable length objects. Adding
a new data type creates all sorts of legacy havoc, and anything
else is, well, a hack.
The right thing to do is to rip the entire package size check, it's rather
stiff, unforgiving, and feeble all at the same time. This is already