RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 995822 - Provide a facility to provide and verify a checksum for rpm Source files.
Summary: Provide a facility to provide and verify a checksum for rpm Source files.
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: rpm
Version: 6.6
Hardware: All
OS: All
unspecified
low
Target Milestone: rc
: ---
Assignee: Packaging Maintenance Team
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-11 10:28 UTC by Simon J Mudd
Modified: 2016-01-04 23:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-04 09:29:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Simon J Mudd 2013-08-11 10:28:42 UTC 
Description of problem:

RPM does not allow the Source: tags to have any reference to a possible checksum.
For certain issues like: http://bugs.mysql.com/bug.php?id=69512 this means it is impossible to verify that the source provided to build a package is indeed the appropriate one, and this may lead to confusion or incorrectly built packages.

Some other package managers do have such a facility and it would be useful to add this functionality I believe.

Version-Release number of selected component (if applicable):

all versions.

How reproducible:

Completely. 

Steps to Reproduce:

1. Build a package using for example mysql-5.6.12.tar.gz,
2. unpack the source tar ball and change something, and repack, build again.
3. There is no possible check in rpm to catch this, so it's not possible to see that the 2 binary packages may indeed be (completely) different.


Actual results:


Expected results:

If a source file had a checksum verification mechanism then it would be immediately obvious that the source file had been modified.

Additional info:

Obviously this is new functionality and should not break existing packaging but perhaps some sort of _optional_ tag:

SourceX_MD5Sum: bad2f6832db3a3feec7ccdbc79d436ba

would provide a mechanism for rpmbuild to verify the source files are indeed the expected ones.   It doesn't really matter what checksum mechanism is used: MD5, SHA etc are all fine. All we want to know is that the source file is not the expected one and this should prevent rpmbuild from continuing, and it should give a sensible error message like

Source4: md5sum checksum failed for mysql-1.2.3.tar.gz. Expected XXXXX, file checksum was YYYYY.
Comment 2 Simon J Mudd 2013-08-11 19:20:12 UTC 
Related to https://bugzilla.redhat.com/show_bug.cgi?id=624123 I guess.

Perhaps this needs reporting upstream, but upstream is pretty much owned (partially at least) by RedHat so if this is perceived as useful then I guess it will get implemented.

It would also be useful for ensuring that source files are not intentionally tampered with as the checksum would differ on a "tampered" source file, and thus the build from the spec file would fail.
Comment 3 Simon J Mudd 2013-08-11 22:17:04 UTC 
Another reference to show that having different source files with  the same name really can happen, I guess in this case unintentionally: http://bugs.mysql.com/bug.php?id=69987
Comment 4 Panu Matilainen 2013-08-12 05:10:15 UTC 
Yes this would be the same thing as bug 624123. From upstream perspective, the feature is considered useful / nice to have but this seems more like rhel-7 material to me at this point. If/when the feature has actually been implemented, the feasibility of backporting could be (re)considered.

Note that such a feature needs to have flexible support for multiple digest types, md5sums are considered deprecated from security POV.
Comment 5 Simon J Mudd 2013-08-12 05:50:04 UTC 
I do not tend to write many bug reports for RHEL so if this is categorised incorrectly please adjust as appropriate.

I also understand this would be a new feature so is unlikely to go into RHEL6 unless backported from a newer version.
Comment 6 RHEL Program Management 2013-10-14 02:46:56 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 7 Panu Matilainen 2014-11-04 09:29:22 UTC 
I dont see this happening in RHEL-6. The RFE itself is entirely reasonable and continues to be tracked on upstream and/or Fedora side of things, but closing this one as DEFERRED.
Comment 8 Simon J Mudd 2016-01-04 23:10:04 UTC 
I have bumped into this again, similar issue.

If this can not be fixed in RHEL6 which is no longer the latest version of RHEL, is it possible to fix in a later version of RHEL? Or if not to fix "upstream" (in rpm) so that this issue will eventually make it downstream into the normal rpm distributions?

If I should be pushing this via a different route please make it clear to me how or where I should do that as I rarely interact with RH directly even if I do use (and have used) RH Linux and rpm since '94 or so. Many thanks.
Note You need to log in before you can comment on or make changes to this bug.