From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030215 Description of problem: After resigning or adding a signature to an rpm built with older rpm's (e.g. from 7.3) rpm --resign older.rpm rpm gets signed but also corrupted. Even querying is then on broken, e.g.: error: older.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7 offset 64 count 16 Have rpm headers in 4.2 changed in incompatible way? If rpm can't sign safely older rpms it should probably refuse to do so. Version-Release number of selected component (if applicable): rpm-4.2-0.69 and rpm-4.2-1 How reproducible: Always Steps to Reproduce: 1. Pick an older rpm. 2. Sign or resign it. 3. Query it and observe it's corrupted. Actual Results: signed rpm has corrupted header Expected Results: good signature Additional info:
More detail is needed as some rpm sign just fine and others are "corrupted". It seems to be related to the version of rpm with which package was built. For example, I just picked up man-1.5j-7.7x.0.i386.rpm nfs-utils-0.3.1-13.7.2.1.i386.rpm from updates for 7.2. man is very recent (likely built with rpm-4.0.4-7x), nfs-utils is very old (likely built with rpm-4.0.3-1.03). man can be resigned just fine, nfs-utils can't. man-1.5j-7.7x.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK error: nfs-utils-0.3.1-13.7.2.1.i386.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7 offset 64 count 16 Similar complaint for rpm -qp nfs-utils... Actually, they are not even really corrupted - put the same rpm on an older machine and suddenly everything is ok... Similarly, sign above mentioned nfs-utils on a 7.3 machine and again, 9 complains. This indicates that it may be just a simple bug somewhere in rpm header handling library. I'll try to look for it but not being accustomed to the code it may take me a while :) so help is very welcomed. BTW, why do I even give a damn - some software is distributed in binary rpms only and for ease of distribution to machines I manage I sign every rpm. Some of these are not built with recent rpm versions and cannot be anymore resigned in a way accessible to RH 9 machines. Thanks
I need reproducible actions and ptrs to resulting pkgs to even attempt to understand this problem AFAIK, there are no signing issues with rpm-4.2 that exhibit randomly corruped or incompatible packages. Reopen with reproducer if you have.
Works fine for me on most stuff, but I have two RPMs that don't sign. Take the current java rpm (I'll not attach it) j2sdk-1_4_2_04-linux-i586.rpm. Attempt to sign it with latest fedora core 1 rpm (rpm-4.2.1-0.30) or RH9 (rpm-4.2-0.69) and it barfs: [user@machine downloads]$ rpm -K j2sdk-1_4_2_04-linux-i586.rpm j2sdk-1_4_2_04-linux-i586.rpm: md5 OK [user@machine copy]$ rpm --addsign j2sdk-1_4_2_04-linux-i586.rpm Enter pass phrase: Pass phrase is good. j2sdk-1_4_2_04-linux-i586.rpm: [user@machine]$ rpm -K j2sdk-1_4_2_04-linux-i586.rpm error: j2sdk-1_4_2_04-linux-i586.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7 offset 48 count 16 Bagsy reopen it?
Actually, the bug is there and I am still not sure why Jeff thought it was not reproducable and that I didn't give enough info (please check my second comment listing nfs-utils from 7.2 as the rpm to use to reproduce the bug, unfortunately that particular version for supplanted with a newer one so I give the same example with another rpm). So let's try again with even more specificity. Take an older rpm from 7.2 updates, for example from 2001: /updates/7.2/en/os/i386/mod_auth_pgsql-0.9.9-2.i386.rpm Let's check it, just in case and note carefully the output - signed and made with old rpm version: rpm -K mod_auth_pgsql-0.9.9-2.i386.rpm mod_auth_pgsql-0.9.9-2.i386.rpm: md5 gpg OK Now, let's resign it on RHEL3 (same result on RH9 and fc1) with rpm --resign .... Finally, let's verify it: rpm -K mod_auth_pgsql-0.9.9-2.i386.rpm error: mod_auth_pgsql-0.9.9-2.i386.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7 offset 64 count 16 It is not random and it is easily reproducible... I don't mind if this is marked as won't fix but should probably be noted somewhere in release notes or an FAQ that rpm's built and signed with rpm older than 4.0.4 cannot be resigned with rpm 4.2 or older due to a bug or an incompatibility in rpm headers.
I am seeing the same behaviour on the j2sdk, on which I am trying to add a signature. The addsign seems to corrupt the header. rpm -vvK j2re-1_4_2_04-linux-i586.rpm D: Expected size: 13786938 = lead(96)+sigs(100)+pad(4)+data(13786738) D: Actual size: 13786906 j2re-1_4_2_04-linux-i586.rpm: MD5 digest: OK (75b6aacf592bc7d7201170a8422b9dde) [root@feynman tmp]# rpm --addsign j2re-1_4_2_04-linux-i586.rpm j2re-1_4_2_04-linux-i586.rpm: [root@feynman tmp]# rpm -vvK j2re-1_4_2_04-linux-i586.rpm error: j2re-1_4_2_04-linux-i586.rpm: rpmReadSignature failed: region trailer: BAD, tag 61 type 7 offset 48 count 16 [root@feynman tmp]# rpm -q rpm rpm-4.2-1 I'm using RH 9.0 and the RPM from rpm.org. 73 de N2ZFW
*** This bug has been marked as a duplicate of 127113 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.