Bug 73355 - rpm --resign problems
rpm --resign problems
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-09-03 08:52 EDT by Gerald Teschl
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-10-03 15:26:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
rpm package (58.61 KB, application/rpm)
2002-09-03 09:30 EDT, Gerald Teschl
no flags Details

  None (edit)
Description Gerald Teschl 2002-09-03 08:52:38 EDT
I just resigned a package with my private key to get rid of the annoying
rpm warnings. But I still get warnings:

[root@soliton RPMS]# rpm -qp fmirror-0.8.4beta-1.i386.rpm
warning: fmirror-0.8.4beta-1.i386.rpm: Header V3 DSA signature: NOKEY, key ID
b8df0f04
fmirror-0.8.4beta-1

However, this warning makes no sense since I do have the key:

[root@soliton RPMS]# rpm -q gpg-pubkey-b8df0f04
gpg-pubkey-b8df0f04-3a3cd517

Moreover, -K gives seems to shed some light

root@soliton RPMS]# rpm -K fmirror-0.8.4beta-1.i386.rpm; echo $?
fmirror-0.8.4beta-1.i386.rpm: (SHA1) DSA (MD5) (PGP) md5 gpg NOT OK (MISSING
KEYS: PGP#20238f8d)
1

rpm seems to ignore the fact that the package was resigned with #b8df0f04
and that this signature can be verified. It still uses the original signature
with #20238f8d. This is totally confusing.
Comment 1 Jeff Johnson 2002-09-03 09:06:13 EDT
Ther are (at least) 2 issues here. For starters,
rpm no longer uses gpg to verify signatures.

1) Import the key to make the warning
go away:
	rpm --import <armored-signature-file>

2) If you give me a pointer to the package and
the pubkey, I'll figger out what's up.
Comment 2 Gerald Teschl 2002-09-03 09:28:58 EDT
I did import my key. However, I do not want to import the other key
PGP#20238f8d, since I do not trust this key in general. I just trust
that this particular package is ok and I figured by resigning it with
my key rpm will be happy;-)

My key is available from  http://www.mat.univie.ac.at/~gerald/DSSkey.txt
or http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xB8DF0F04

I will attach the (resigned) package.
Comment 3 Gerald Teschl 2002-09-03 09:30:12 EDT
Created attachment 74687 [details]
rpm package
Comment 4 Jeff Johnson 2002-10-26 11:10:25 EDT
Here's what rpm-4.2 (also rpm-4.1 from ftp.rpm.org IIRC)
reports:

bash$ rpm -qp fmirror-0.8.4beta-1.i386.rpm 
error: fmirror-0.8.4beta-1.i386.rpm: rpmReadSignature failed: region trailer:
BAD, tag 61 type 7 offset 64 count 16

The "region trailer" is the marker in the data section
at the end of an immutable region (i.e. a blob in a
header that will remain exactly the same).

Hexedit shows 2 copies of the signature header:

00000060   8E AD E8 01  00 00 00 00  00 00 00 08  00 00 01 55  ...............U
00000070   00 00 00 3E  00 00 00 07  00 00 00 AC  00 00 00 10  ...>............
00000080   00 00 03 E8  00 00 00 04  00 00 00 00  00 00 00 01  ................
00000090   00 00 03 EA  00 00 00 07  00 00 00 04  00 00 00 98  ................
000000A0   00 00 03 EC  00 00 00 07  00 00 00 9C  00 00 00 10  ................
000000B0   00 00 01 0B  00 00 00 07  00 00 00 BC  00 00 00 41  ...............A
000000C0   00 00 03 E8  00 00 00 04  00 00 01 00  00 00 00 01  ................
000000D0   00 00 03 EC  00 00 00 07  00 00 01 04  00 00 00 10  ................
000000E0   00 00 03 ED  00 00 00 07  00 00 01 14  00 00 00 41  ...............A
000000F0   00 00 E8 2C  89 00 95 03  05 00 35 CF  5B E9 98 D2  ...,......5.[...

After resigning using --resign (with rpm-4.0.4 to avoid the missing
header trailer), hexedit shows

00000060   8E AD E8 01  00 00 00 00  00 00 00 05  00 00 00 FD  ................
00000070   00 00 00 3E  00 00 00 07  00 00 00 ED  00 00 00 10  ...>............
00000080   00 00 03 E8  00 00 00 04  00 00 00 00  00 00 00 01  ................
00000090   00 00 03 EA  00 00 00 07  00 00 00 04  00 00 00 98  ................
000000A0   00 00 03 EC  00 00 00 07  00 00 00 9C  00 00 00 10  ................
000000B0   00 00 03 ED  00 00 00 07  00 00 00 AC  00 00 00 41  ...............A
000000C0   00 00 E8 2C  89 00 95 03  05 00 35 CF  5B E9 98 D2  ...,......5.[...

So I surmise that you resigned with --addsign, rpm happily
added a 2nd, identical, tag. The original tag, still present,
was retrieved.

Yes, more than confusing, the "traditional" (nuance of) distinction
in rpm between --addsign and --resign has been eliminated, both
options behave exactly identically in rpm-4.1 (and note that there
are now two signatures generated as well).

Bottom line is
	Always sign packages with rpm-4.1 or later.

BTW, I'm still working on getting "trust" defined differently
than "key exists in database". That will almost certainly
be available in rpm-4.2.

I'm calling this NOTABUG solely because I didn't change any rpm code.

Note You need to log in before you can comment on or make changes to this bug.