Bug 68291 - rpm --import mishandles files with keys and signatures (and multi-key files)
rpm --import mishandles files with keys and signatures (and multi-key files)
Status: CLOSED DUPLICATE of bug 90952
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
:
Depends On:
Blocks: 67217
  Show dependency treegraph
 
Reported: 2002-07-08 17:31 EDT by Aleksey Nogin
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 13:49:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Verify header+payload package signature using gpg (892 bytes, text/plain)
2002-07-09 10:07 EDT, Jeff Johnson
no flags Details
A keyfile of 897DA07A with DB42A60E sig, gets imported incorrectly. (1.41 KB, text/plain)
2002-07-10 15:02 EDT, Aleksey Nogin
no flags Details
897DA07A key w/o DB42A60E sig, gets imported correctly. (1.32 KB, text/plain)
2002-07-10 15:03 EDT, Aleksey Nogin
no flags Details
A keyfile with the key 0x9D6B4012: (Arjan van de Ven <arjanv@redhat.com>) that does not get imported correctly. (4.62 KB, text/plain)
2003-11-20 18:25 EST, Aleksey Nogin
no flags Details

  None (edit)
Description Aleksey Nogin 2002-07-08 17:31:43 EDT
With rpm-4.1-0.34, when "rpm --import" is used on a multi-key file, rpm will
create a *single* gpg-pubkey "package" and put the whole keyfile in there. Only
one key will be used as "version" and "release", so rpm would not be able to use
other keys in that file (it simply wouldn't know they are in there!)

rpm --import should probably:
1) recognize the input file contains multiple keys
2) split it into separate armored keys
3) import each key individually

As a workaround, it could complain and abort instead of (2-3).
Comment 1 Aleksey Nogin 2002-07-08 17:36:19 EDT
Actually, it seems to be even worse - it appears that even for that one key that
made it into  the "version" field when importing a multi-key file, it still
would not work correctly. Namely, rpm recognizes it has the key, but "rpm -Kv"
would consider all signatures made with it top be bad!
Comment 2 Jeff Johnson 2002-07-09 10:06:33 EDT
ATM, rpm supports only a subset of all possible OpenPGP
package formats.

Please add an attachment/pointer to a pubkey and package signed
with that key if you wish a more complete implementation.

Otherwise, just extract the keys and use gpg directly to
verify. Shell script that does this attached.
Comment 3 Jeff Johnson 2002-07-09 10:07:37 EDT
Created attachment 64385 [details]
Verify header+payload package signature using gpg
Comment 4 Aleksey Nogin 2002-07-09 16:36:03 EDT
Let me try being a little more specific.

To reproduce:

a) gpg --export --armor id1 id2 [id3 ...] > /tmp/pubkeys
b) rpm --import /tmp/pubkeys
c) rpm -Kv on packages signed with id1 and id2.

Expected: 
 - best case: everything works (for example, as in (1-3) on the initial report).
 - minimal: rpm rejects the key file in (b) as unsupported.

Actual:
 - in (b) rpm would create *one* gpg-pubkey package with one of the ids (let's
call it idx) as the "version". Usually idx=id1, but I saw idx=id2 too.
 - in (c) for packages signed with ids other than idx rpm would say the key is
missing (bad)
 - in (c) for packages signed with idx rpm would say the signature is wrong
(very bad).

In short, I understand that some formats may be unsupported by rpm, but at
minimum rpm should recognize those formats and reject --importing them.
Comment 5 Jeff Johnson 2002-07-09 16:45:42 EDT
I'm not disagreeing, I'm only asking for
a pointer to a public key and a package
that was signed with that key so that I
can see exactly what needs to be done.
Comment 6 Aleksey Nogin 2002-07-10 15:00:44 EDT
This is getting weirder every time I try --import'ing something. I tried
importing a keyfile (I'll attach it in a second) that contained the key 897DA07A
(rawhide@redhat) which was signed by DB42A60E (secutity@redhat). But importing
that keyfile resulted in gpg-pubkey-db42a60e-3c979aa4 "package" being added
which not only means that it was still unable to check signatured on packages
signed by 897DA07A (I assume you have plenty of those for tesing ;-), but also
(I would guess, have not actually tried it) would interfere with sigchecking of
packages singed by the "real" db42a60e.

Only when I removed the DB42A60E signature and --imported a "plain" 897DA07A
key, things worked out as expected...
Comment 7 Aleksey Nogin 2002-07-10 15:02:25 EDT
Created attachment 64647 [details]
A keyfile of 897DA07A with DB42A60E sig, gets imported incorrectly.
Comment 8 Aleksey Nogin 2002-07-10 15:03:23 EDT
Created attachment 64648 [details]
897DA07A key w/o DB42A60E sig, gets imported correctly.
Comment 9 Jeff Johnson 2002-07-12 18:13:07 EDT
Can you give me a pointer to a package signed
with the key that rpm does not understand?
Any package will do, I usually use the time package,
it's teensy.

BTW, I enhanced rpm -qi in rpm-4.1-0.46 to display:

Signature   : DSA/SHA1, Tue 25 Jun 2002 01:42:34 PM EDT, Key ID fd372689897da07a
Comment 10 Aleksey Nogin 2002-07-17 22:38:56 EDT
OK, may be I was not clear enough. The problem is not with signatures, the
problem is with the --import not understanding some files (or even worse
-misunderstanding them), such as the "key-with-sig" file attached here. And once
"--import" messes things up, signature checking suffers badly, but it's not its
fault for not being able to figure out that things are already in a pretty
inconsistent state.

Below is a sequence of steps that should be 100% reproducible on a machine with
the same version of rpm and using the "key-with-sig" file attached here. My
comments start with ">>>" (and are placed below the command and output being
commented).

# rpm -q rpm
rpm-4.1-0.34
# rpm -e --allmatches gpg-pubkey
>>> The above is just to make sure we start in a clean state.
# rpm --import key-with-sig
>>> The import above non doing the right thing is what causes 
>>> *all* the problems below. All the stuff below is there
>>> just to *demonstrate* what problems arise out of this bad --import
# rpm -q gpg-pubkey
gpg-pubkey-db42a60e-3c979aa4
>>> OK, so the largest issue is that --import thought that the 
>>> "key-with-sig" contained the "db42a60e" key, while in fact in
>>> contained "897DA07A" key which is *signed* by "db42a60e" 
# gpg --import /tmp/key-with-sig
gpg: key 897DA07A: not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
>>> The above was to verify that the file indeed contains "897DA07A" 
>>> and *not* "db42a60e" (as rpm --import mistakenly thought).
# rpm -Kvv
ftp://ftp.redhat.com/pub/redhat/linux/7.3/en/os/i386/RedHat/RPMS/basesystem-7.0-2.noarch.rpm
D: opening  db environment /var/lib/rpm/Packages joinenv
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: logging into ftp.redhat.com as ftp, pw (username)
D: file is not regular -- skipping size check
D: opening  db index       /var/lib/rpm/Pubkeys rdonly mode=0x0
D: ========== DSA pubkey id 219180cddb42a60e
ftp://ftp.redhat.com/pub/redhat/linux/7.3/en/os/i386/RedHat/RPMS/basesystem-7.0-2.noarch.rpm:
    MD5 digest: OK (44e289b35d9d09c7b1d4e64583f2324b)
    V3 DSA signature: BAD, key ID db42a60e
D: closed   db index       /var/lib/rpm/Pubkeys
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm/Packages
D: removed  db environment /var/lib/rpm/Packages
>>> The signature is actually good, but rpm now thinks it's bad since
>>> it does not really have the public key to check it against!
# rpm --import /usr/share/doc/rpm-4.1/RPM-GPG-KEY
>>> Let's see what happens if we import the correct thing.
# rpm -q gpg-pubkey
gpg-pubkey-db42a60e-3c979aa4
gpg-pubkey-db42a60e-37ea5438
# rpm -Kvv
ftp://ftp.redhat.com/pub/redhat/linux/7.3/en/os/i386/RedHat/RPMS/basesystem-7.0-2.noarch.rpm
D: opening  db environment /var/lib/rpm/Packages joinenv
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: logging into ftp.redhat.com as ftp, pw (username)
D: file is not regular -- skipping size check
D: opening  db index       /var/lib/rpm/Pubkeys rdonly mode=0x0
D: ========== DSA pubkey id 219180cddb42a60e
ftp://ftp.redhat.com/pub/redhat/linux/7.3/en/os/i386/RedHat/RPMS/basesystem-7.0-2.noarch.rpm:
    MD5 digest: OK (44e289b35d9d09c7b1d4e64583f2324b)
    V3 DSA signature: BAD, key ID db42a60e
D: closed   db index       /var/lib/rpm/Pubkeys
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm/Packages
D: removed  db environment /var/lib/rpm/Packages
>>> Still no luck - rpm seems to check the package signature against
>>> the "broken" gpg-pubkey-db42a60e-3c979aa4 instead of the correct
>>> public key (which is probably *not* a bug on its own - the first
>>> matching key just takes precedence).
# rpm -Kvv
ftp://ftp.redhat.com/pub/redhat/linux/beta/limbo/en/os/i386/RedHat/RPMS/basesystem-7.0-5.noarch.rpm
D: opening  db environment /var/lib/rpm/Packages joinenv
D: opening  db index       /var/lib/rpm/Packages rdonly mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: logging into ftp.redhat.com as ftp, pw (username)
D: file is not regular -- skipping size check
D: opening  db index       /var/lib/rpm/Pubkeys rdonly mode=0x0
ftp://ftp.redhat.com/pub/redhat/linux/beta/limbo/en/os/i386/RedHat/RPMS/basesystem-7.0-5.noarch.rpm:
    Header V3 DSA signature: NOKEY, key ID 897da07a
    MD5 digest: OK (825f8e7b39611f3d6c9a4cc41da024b5)
    V3 DSA signature: NOKEY, key ID 897da07a
D: closed   db index       /var/lib/rpm/Pubkeys
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm/Packages
D: removed  db environment /var/lib/rpm/Packages
>>> The above just demonstrates another consequence of the borked
>>> --import - rpm does have the public key 897da07a (in
>>> gpg-pubkey-db42a60e-3c979aa4), but since it was misplaced, rpm
>>> thinks the key is not there.

Hope that makes it clearer...
Comment 11 Jeff Johnson 2002-07-18 09:26:07 EDT
Yes, there is no full-blown support for all
possible OpenPGP packets. Known, agreed,
identified, yes, yes, yes.

Now can you *please* sign some package with
the key that does not import correctly, and
give me a pointer to that package, so that
I can fix the problem? The code paths that
need to be fixed are common throughout,
and it's the parser that needs to be fixed,
not just --import, which uses the parser.
Comment 12 Aleksey Nogin 2002-07-18 12:23:44 EDT
> Now can you *please* sign some package with
> the key that does not import correctly, and
> give me a pointer to that package, 

I am still do not understand what exactly you need and how what you need is
different from what you already have: a key-with-sig file containing aa version
of the RedHat's rawhide key that does not import correctly and
ftp://ftp.redhat.com/pub/redhat/linux/beta/limbo/en/os/i386/RedHat/RPMS/basesystem-7.0-5.noarch.rpm
 - a package correctly signed with that key.

P.S. Possibly the reason I do not understand what you need is because I do not
understand why you need it (and while this understanding is not necessary if you
give me some clear instructions, it might help). The parser clearly misparses
the key-with-sig file, is not that enough to figure out what goes wrong?
Comment 13 Jeff Johnson 2002-07-18 12:42:15 EDT
Ick, I meant to delete that comment. After re-reading
I think I have enough info to reproduce, but "Save Changes"
got pressed in the interim. Again, apologies.

What I was hoping for is a reproducible test case
for signature verification, not possible when working
with someone else's pubkey. But I think I can fix the
parse problem with just the pubkey.
Comment 14 Aleksey Nogin 2002-07-18 13:02:27 EDT
> "Save Changes" got pressed in the interim

Done that myself more than once, no need to apologize.

> What I was hoping for is a reproducible test case
> for signature verification,

I haven't seen one yet - all I've seen so far were --import's faults... But once
--import is fixed, it will be easier to pass "weird" data to sig verification
and I'll be sure to test it...

> not possible when working with someone else's pubkey.

Well, that's why I tried my best creating a test case using Red Hat's key - but
in case you do not have sufficient access to it, I would imagine it should be
relatively easy to reproduce the problem using your own key...
Comment 15 Jeff Johnson 2002-08-02 12:44:49 EDT
Yup, pubkey signid parameter was being parsed from the generic,
rather than the positive, certification signature subpkt.

Fixed in rpm-4.1-0.66, building soon.
Comment 16 Aleksey Nogin 2003-11-20 18:18:54 EST
This bug is still there in Fedora Core (rpm-4.2.1-0.30). For example,
key 9D6B4012: "Arjan van de Ven <arjanv@redhat.com>" gets imported as
gpg-pubkey-92f0fc09-3f23efee on my system (will attach relevant files
in a moment) :-(
Comment 17 Aleksey Nogin 2003-11-20 18:25:49 EST
Created attachment 96105 [details]
A keyfile with the key 0x9D6B4012: (Arjan van de Ven <arjanv@redhat.com>) that does not get imported correctly.

To reproduce:

1) Verify that the file contains the key I say ot does:

% gpg --import /tmp/9d6b4012

2) Verify that we started in a sufficiently "clean" state:

# rpm -q gpg-pubkey-92f0fc09 gpg-pubkey-9d6b4012
package gpg-pubkey-92f0fc09 is not installed
package gpg-pubkey-9d6b4012 is not installed

3) Import the key:

# rpm --import /tmp/9d6b4012

4) Expected - gpg-pubkey-9d6b4012 is there, gpg-pubkey-92f0fc09 is not.

Actual:

# rpm -q gpg-pubkey-92f0fc09 gpg-pubkey-9d6b4012
gpg-pubkey-92f0fc09-3f23efee
package gpg-pubkey-9d6b4012 is not installed
Comment 18 Leonard den Ottolander 2004-03-08 03:18:11 EST
Probably it is important this get fixed, but still setting severity to
normal. (See the help page for details on when to set severity to high.)

Aleksey, do you think this can be closed a dup while we track via bug
90952?
Comment 19 Aleksey Nogin 2004-03-08 04:01:15 EST

*** This bug has been marked as a duplicate of 90952 ***
Comment 20 Red Hat Bugzilla 2006-02-21 13:49:13 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.