Red Hat Bugzilla – Bug 90334
rpm 4.2 cannot sign older rpms
Last modified: 2007-04-18 12:53:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030215
Description of problem:
After resigning or adding a signature to an rpm built with older rpm's (e.g.
rpm --resign older.rpm
rpm gets signed but also corrupted. Even querying is then on broken, e.g.:
error: older.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7
offset 64 count 16
Have rpm headers in 4.2 changed in incompatible way? If rpm can't sign safely
older rpms it should probably refuse to do so.
Version-Release number of selected component (if applicable):
rpm-4.2-0.69 and rpm-4.2-1
Steps to Reproduce:
1. Pick an older rpm.
2. Sign or resign it.
3. Query it and observe it's corrupted.
Actual Results: signed rpm has corrupted header
Expected Results: good signature
More detail is needed as some rpm sign just fine and others are "corrupted". It
seems to be related to the version of rpm with which package was built. For
example, I just picked up
from updates for 7.2. man is very recent (likely built with rpm-4.0.4-7x),
nfs-utils is very old (likely built with rpm-4.0.3-1.03). man can be resigned
just fine, nfs-utils can't.
man-1.5j-7.7x.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK
error: nfs-utils-0.3.1-184.108.40.206.i386.rpm: rpmReadSignature failed: region
trailer: BAD, tag 61 type 7 offset 64 count 16
Similar complaint for rpm -qp nfs-utils...
Actually, they are not even really corrupted - put the same rpm on an older
machine and suddenly everything is ok... Similarly, sign above mentioned
nfs-utils on a 7.3 machine and again, 9 complains. This indicates that it may be
just a simple bug somewhere in rpm header handling library. I'll try to look for
it but not being accustomed to the code it may take me a while :) so help is
BTW, why do I even give a damn - some software is distributed in binary rpms
only and for ease of distribution to machines I manage I sign every rpm. Some
of these are not built with recent rpm versions and cannot be anymore resigned
in a way accessible to RH 9 machines.
I need reproducible actions and ptrs to resulting
pkgs to even attempt to understand this problem AFAIK,
there are no signing issues with rpm-4.2 that exhibit
randomly corruped or incompatible packages.
Reopen with reproducer if you have.
Works fine for me on most stuff, but I have two RPMs that don't sign.
Take the current java rpm (I'll not attach it)
Attempt to sign it with latest fedora core 1 rpm (rpm-4.2.1-0.30) or
RH9 (rpm-4.2-0.69) and it barfs:
[user@machine downloads]$ rpm -K j2sdk-1_4_2_04-linux-i586.rpm
j2sdk-1_4_2_04-linux-i586.rpm: md5 OK
[user@machine copy]$ rpm --addsign j2sdk-1_4_2_04-linux-i586.rpm
Enter pass phrase:
Pass phrase is good.
[user@machine]$ rpm -K j2sdk-1_4_2_04-linux-i586.rpm
error: j2sdk-1_4_2_04-linux-i586.rpm: rpmReadSignature failed: region
BAD, tag 61 type 7 offset 48 count 16
Bagsy reopen it?
Actually, the bug is there and I am still not sure why Jeff thought it
was not reproducable and that I didn't give enough info (please check
my second comment listing nfs-utils from 7.2 as the rpm to use to
reproduce the bug, unfortunately that particular version for
supplanted with a newer one so I give the same example with another
rpm). So let's try again with even more specificity.
Take an older rpm from 7.2 updates, for example from 2001:
Let's check it, just in case and note carefully the output - signed
and made with old rpm version:
rpm -K mod_auth_pgsql-0.9.9-2.i386.rpm
mod_auth_pgsql-0.9.9-2.i386.rpm: md5 gpg OK
Now, let's resign it on RHEL3 (same result on RH9 and fc1) with rpm
--resign .... Finally, let's verify it:
rpm -K mod_auth_pgsql-0.9.9-2.i386.rpm
error: mod_auth_pgsql-0.9.9-2.i386.rpm: rpmReadSignature failed:
region trailer: BAD, tag 61 type 7 offset 64 count 16
It is not random and it is easily reproducible...
I don't mind if this is marked as won't fix but should probably be
noted somewhere in release notes or an FAQ that rpm's built and signed
with rpm older than 4.0.4 cannot be resigned with rpm 4.2 or older due
to a bug or an incompatibility in rpm headers.
I am seeing the same behaviour on the j2sdk, on which I am trying to
add a signature.
The addsign seems to corrupt the header.
rpm -vvK j2re-1_4_2_04-linux-i586.rpm
D: Expected size: 13786938 =
D: Actual size: 13786906
MD5 digest: OK (75b6aacf592bc7d7201170a8422b9dde)
[root@feynman tmp]# rpm --addsign j2re-1_4_2_04-linux-i586.rpm
[root@feynman tmp]# rpm -vvK j2re-1_4_2_04-linux-i586.rpm
error: j2re-1_4_2_04-linux-i586.rpm: rpmReadSignature failed: region
trailer: BAD, tag 61 type 7 offset 48 count 16
[root@feynman tmp]# rpm -q rpm
I'm using RH 9.0 and the RPM from rpm.org.
73 de N2ZFW
*** This bug has been marked as a duplicate of 127113 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.