56672 – Length errors when rpm signed with multiple signatures

Bug 56672 - Length errors when rpm signed with multiple signatures

Summary: Length errors when rpm signed with multiple signatures

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	rpm
Sub Component:
Version:	7.2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jeff Johnson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-11-23 22:57 UTC by Josko Plazonic
Modified:	2008-05-01 15:38 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2001-11-24 03:47:31 UTC
Embargoed:

Attachments	(Terms of Use)

Description Josko Plazonic 2001-11-23 22:57:00 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

Description of problem:
When an rpm packages is signed with multiple gpg signatures it will 
complain on any use of that package that length is invalid, and rpm -K 
that the signature is invalid.  For example, pygnome-devel* package, 
signed by RedHat and then with rpm --addsign signed also by me, this is 
output of rpm -K:
warning: Expected size:        15968 = lead(96)+sigs(230)+pad(2)+data
(15640)
warning:   Actual size:        16000
error: pygnome-devel-1.4.1-3.i386.rpm: No signature available
---
the same complaint on install (but it will install it).  On RH6.2 with 
rpm-4.0.2-6x there are no problems and it works there (i.e. rpm package 
with two signatures works just fine on rh6.2, when moved to 7.2 again 
problems so the problem is in rpm-4.0.3-1.03 on 7.2).

Version-Release number of selected component (if applicable):
rpm-4.0.3-1.03 

How reproducible:
Always

Steps to Reproduce:
1. Pick a signed package and add another gpg signature (--addsign).
2. Verify package (rpm -K) or install it.

	

Actual Results:  If installing it will install but complain about invalid 
length, if verified it will again complain about invalid length but also 
about invalid signature.

Expected Results:  It should confirm validity of both signatures...

Additional info:

Comment 1 Josko Plazonic 2001-11-23 23:31:33 UTC

Uh, scratch the part about multiple signatures working fine in RH6.2's 4.0.2 
rpm - it just doesn't complain about the length, as rpm -vv -K shows (i.e. 
D: Expected size:        15968 = lead(96)+sigs(230)+pad(2)+data(15640)
D:   Actual size:        16000
).  At least it will not abort and will check whatever signatures it can still 
find.

Comment 2 Josko Plazonic 2001-11-24 03:47:25 UTC

Ok - checked the code and it seems that rpm gets confused when more than one 
signature of same type exists (e.g. two gpg - this is what I was trying to get 
to work).  Plus there is some confusion in rpmReadSignature def in signature.c 
code about sigSize -= (16 + 16) that created length errors when more than one 
gpg signature exists (apparently sigSize shouldn't be decreased in that case? 
bu?).

It would still useful to be able to have multiple signatures...

Comment 3 Jeff Johnson 2001-11-24 13:56:49 UTC

Yup, 'twould be nice to be able to support multiple signatures.
Too bad rpm doesn't, the fundamental issue is the lack of a
data type for an array of variable length objects. Adding
a new data type creates all sorts of legacy havoc, and anything
else is, well, a hack.

The right thing to do is to rip the entire package size check, it's rather
stiff, unforgiving, and feeble all at the same time. This is already
in process.

Note You need to log in before you can comment on or make changes to this bug.