Bug 90334 - rpm 4.2 cannot sign older rpms
Summary: rpm 4.2 cannot sign older rpms
Status: CLOSED DUPLICATE of bug 127113
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm   
(Show other bugs)
Version: 9
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2003-05-07 03:50 UTC by Josko Plazonic
Modified: 2007-04-18 16:53 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 18:52:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Josko Plazonic 2003-05-07 03:50:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030215

Description of problem:
After resigning or adding a signature to an rpm built with older rpm's (e.g.
from 7.3)
rpm --resign older.rpm 
rpm gets signed but also corrupted.  Even querying is then on broken, e.g.:
error: older.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7
offset 64 count 16

Have rpm headers in 4.2 changed in incompatible way?  If rpm can't sign safely
older rpms it should probably refuse to do so.

Version-Release number of selected component (if applicable):
rpm-4.2-0.69 and rpm-4.2-1

How reproducible:

Steps to Reproduce:
1. Pick an older rpm.
2. Sign or resign it.
3. Query it and observe it's corrupted.

Actual Results:  signed rpm has corrupted header

Expected Results:  good signature

Additional info:

Comment 1 Josko Plazonic 2003-05-10 18:01:39 UTC
More detail is needed as some rpm sign just fine and others are "corrupted". It
seems to be related to the version of rpm with which package was built. For
example, I just picked up 
from updates for 7.2.  man is very recent (likely built with rpm-4.0.4-7x),
nfs-utils is very old (likely built with rpm-4.0.3-1.03).  man can be resigned
just fine, nfs-utils can't.
man-1.5j-7.7x.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK
error: nfs-utils-0.3.1- rpmReadSignature failed: region
trailer: BAD, tag 61 type 7 offset 64 count 16

Similar complaint for rpm -qp nfs-utils...

Actually, they are not even really corrupted - put the same rpm on an older
machine and suddenly everything is ok...  Similarly, sign above mentioned
nfs-utils on a 7.3 machine and again, 9 complains. This indicates that it may be
just a simple bug somewhere in rpm header handling library. I'll try to look for
it but not being accustomed to the code it may take me a while :) so help is
very welcomed.

BTW, why do I even give a damn - some software is distributed in binary rpms
only and for ease of distribution to machines I manage I sign every rpm.  Some
of these are not built with recent rpm versions and cannot be anymore resigned
in a way accessible to RH 9 machines.


Comment 2 Jeff Johnson 2003-09-01 16:55:23 UTC
I need reproducible actions and ptrs to resulting
pkgs to even attempt to understand this problem AFAIK,
there are no signing issues with rpm-4.2 that exhibit
randomly corruped or incompatible packages.

Reopen with reproducer if you have.

Comment 3 John Hodrien 2004-04-08 11:33:23 UTC
Works fine for me on most stuff, but I have two RPMs that don't sign.

Take the current java rpm (I'll not attach it)

Attempt to sign it with latest fedora core 1 rpm (rpm-4.2.1-0.30) or
RH9 (rpm-4.2-0.69) and it barfs:

[user@machine downloads]$ rpm -K j2sdk-1_4_2_04-linux-i586.rpm
j2sdk-1_4_2_04-linux-i586.rpm: md5 OK
[user@machine copy]$ rpm --addsign j2sdk-1_4_2_04-linux-i586.rpm
Enter pass phrase:
Pass phrase is good.
[user@machine]$ rpm -K j2sdk-1_4_2_04-linux-i586.rpm
error: j2sdk-1_4_2_04-linux-i586.rpm: rpmReadSignature failed: region
BAD, tag 61 type 7 offset 48 count 16

Bagsy reopen it?

Comment 4 Josko Plazonic 2004-04-08 14:01:42 UTC
Actually, the bug is there and I am still not sure why Jeff thought it
was not reproducable and that I didn't give enough info (please check
my second comment listing nfs-utils from 7.2 as the rpm to use to
reproduce the bug, unfortunately that particular version for
supplanted with a newer one so I give the same example with another
rpm).  So let's try again with even more specificity.  

Take an older rpm from 7.2 updates, for example from 2001:
Let's check it, just in case and note carefully the output - signed
and made with old rpm version:
rpm -K mod_auth_pgsql-0.9.9-2.i386.rpm
mod_auth_pgsql-0.9.9-2.i386.rpm: md5 gpg OK
Now, let's resign it on RHEL3 (same result on RH9 and fc1) with rpm
--resign ....  Finally, let's verify it:
rpm -K mod_auth_pgsql-0.9.9-2.i386.rpm
error: mod_auth_pgsql-0.9.9-2.i386.rpm: rpmReadSignature failed:
region trailer: BAD, tag 61 type 7 offset 64 count 16

It is not random and it is easily reproducible...

I don't mind if this is marked as won't fix but should probably be
noted somewhere in release notes or an FAQ that rpm's built and signed
with rpm older than 4.0.4 cannot be resigned with rpm 4.2 or older due
to a bug or an incompatibility in rpm headers.

Comment 5 Need Real Name 2004-04-27 23:28:51 UTC
I am seeing the same behaviour on the j2sdk, on which I am trying to
add a signature.

The addsign seems to corrupt the header.

rpm -vvK j2re-1_4_2_04-linux-i586.rpm
D: Expected size:     13786938 = 
D:   Actual size:     13786906
    MD5 digest: OK (75b6aacf592bc7d7201170a8422b9dde)

[root@feynman tmp]# rpm --addsign j2re-1_4_2_04-linux-i586.rpm

[root@feynman tmp]# rpm -vvK j2re-1_4_2_04-linux-i586.rpm
error: j2re-1_4_2_04-linux-i586.rpm: rpmReadSignature failed: region
trailer: BAD, tag 61 type 7 offset 48 count 16

[root@feynman tmp]# rpm -q rpm

I'm using RH 9.0 and the RPM from rpm.org.

73 de N2ZFW

Comment 6 Jeff Johnson 2004-07-03 12:49:06 UTC

*** This bug has been marked as a duplicate of 127113 ***

Comment 7 Red Hat Bugzilla 2006-02-21 18:52:55 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.