Discussion:
rpm -Va BAD, key ID
Elan Ruusamäe
2015-01-13 16:30:18 UTC
Permalink
rpm -Va emits such messages:

error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d

that's from repeated scratch installs, the key ID stays always the same
(e4f1bc2d)


i've traced that something between rpm-5.4.14-5.x86_64 and
rpm-5.4.15-6.x86_64 and have caused it

18:19:15 vagrant[load: 0.44]@pld64 ~$ cat /etc/vagrant_box_build_time
Fri Oct 10 00:22:52 CEST 2014

18:19:16 vagrant[load: 0.40]@pld64 ~$ rpm -q rpm
rpm-5.4.14-5.x86_64

18:19:20 vagrant[load: 0.40]@pld64 ~$ rpm -Va > /dev/null
18:19:54 vagrant[load: 0.45]@pld64 ~$ sudo poldek --up -u rpm
[cut]
18:20:43 vagrant[load: 0.31]@pld64 ~$ rpm -q rpm
rpm-5.4.15-6.x86_64
18:21:36 vagrant[load: 0.14]@pld64 ~$ rpm -Va > /dev/null
error: rpmdb (h#2): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
...
error: rpmdb (h#147): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#148): Header V4 DSA signature: BAD, key ID e4f1bc2d

18:21:53 vagrant[load: 0.17]@pld64 ~$

downgrading back to 5.4.14 (from repackage spool) gives opinion that the
db itself is not corrupted:

18:24:09 root[load: 0.14]@pld64 ~# rpm --version
rpm (RPM) 5.4.14
18:23:56 root[load: 0.08]@pld64 ~# rpm -Va >/dev/null
18:24:09 root[load: 0.14]@pld64 ~#

the same says db_verify:
18:25:53 root[load: 0.07]@pld64 lib/rpm# db5.2_verify A* Ba* C*
Dirnames F* G* I* N* O* P* R* S* T* V*
BDB5105 Verification of Arch succeeded.
BDB5105 Verification of Basenames succeeded.
BDB5105 Verification of Conflictname succeeded.
BDB5105 Verification of Dirnames succeeded.
BDB5105 Verification of Filedigests succeeded.
BDB5105 Verification of Filepaths succeeded.
BDB5105 Verification of Group succeeded.
BDB5105 Verification of Installtid succeeded.
BDB5105 Verification of Name succeeded.
BDB5105 Verification of Nvra succeeded.
BDB5105 Verification of Obsoletename succeeded.
BDB5105 Verification of Os succeeded.
BDB5105 Verification of Packagecolor succeeded.
BDB5105 Verification of Packages succeeded.
BDB5105 Verification of Providename succeeded.
BDB5105 Verification of Pubkeys succeeded.
BDB5105 Verification of Release succeeded.
BDB5105 Verification of Requirename succeeded.
BDB5105 Verification of Seqno succeeded.
BDB5105 Verification of Sha1header succeeded.
BDB5105 Verification of Sigmd5 succeeded.
BDB5105 Verification of Sourcepkgid succeeded.
BDB5105 Verification of Triggername succeeded.
BDB5105 Verification of Version succeeded.


also rpmdbchk tool by proyvind says 0% damaged with 5.4.14 and ~1%
damaged with 5.4.14:

18:26:55 root[load: 0.20]@pld64 rpm/bin# /rpmdbchk --checkonly
checking /var/lib/rpm/Packages: 135/135 100%
0/135 (0.000000%) headers damaged

18:26:36 root[load: 0.10]@pld64 rpm/bin# /rpmdbchk --checkonly
checking /var/lib/rpm/Packages: 2/136 1%
1 (2): Header V4 DSA signature: BAD, key ID e4f1bc2d
checking /var/lib/rpm/Packages: 3/136 2%
...
checking /var/lib/rpm/Packages: 134/136 99%
checking /var/lib/rpm/Packages: 136/136 100%
128/136 (0.941176%) headers damaged

18:26:47 root[load: 0.22]@pld64 rpm/bin#


ps: the vagrant base boxes i've conducted the above tests are available from
ftp://ftp.pld-linux.org/people/glen/vm/th/

pld64-20141009.box - rpm-5.4.14-5.x86_64
pld64-20141205.box - rpm-5.4.15-6.x86_64
--
glen
Jeffrey Johnson
2015-01-13 17:43:11 UTC
Permalink
Post by Elan Ruusamäe
error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
What package is header #123? (try rpm -Vavv which should display package names near h#123).
Post by Elan Ruusamäe
that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.

Removing and re-importing 0xe4f1bc2d is the 1st thing to try.

You can easily patch out the attempt to verify header signatures in 5.4.15.

Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
and whether the public key is imported or included in packages.

73 de Jeff
Elan Ruusamäe
2015-01-13 20:01:05 UTC
Permalink
Post by Jeffrey Johnson
Post by Elan Ruusamäe
error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
What package is header #123? (try rpm -Vavv which should display package names near h#123).
that #123 is pretty much every package in the system.
h#xxx starts from #2 and ends with #148. 149 packages in system, 1 fake
gpg package.

rpm -Vavv of 5.4.14 and 5.4.14 can be obtained from here:

http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
Post by Jeffrey Johnson
Post by Elan Ruusamäe
that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.
Removing and re-importing 0xe4f1bc2d is the 1st thing to try.
You can easily patch out the attempt to verify header signatures in 5.4.15.
Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
and whether the public key is imported or included in packages.
gpg-pubkey-e4f1bc2d-47b351f0 is key used to sign pld th packages:

$ rpm -qi gpg-pubkey-e4f1bc2d-47b351f0

Name : gpg-pubkey Relocations: (not relocatable)
Version : e4f1bc2d Vendor: (none)
Release : 47b351f0 Build Date: Fri Oct 10 01:19:35 2014
Install Date: Fri Oct 10 01:19:35 2014 Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(RSApub (PLD Linux Distribution 3.0 (Th)) <th-***@pld-linux.org>)
Architecture: (none)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: RPM 5.4.10 (BeeCrypt)

mQGiBEezUfARBACXCHHN8F35uES1o+FhB7op/804RVJw59Jv3UGDubv4x8SPHGNNb2WFLLMm
W5MUucB+VSS3Xm33U27HFfg9OaeJsSJu3b5RE+UnPTZihV5+vENdtsfIDJBOjgTcbEXYW75O
V9Qnxczx4fGUOfEU23a3q/yXXXnarjbTLRizBCJkBwCgrJvTzbDuECHrs74gm84E7unI26kD
/1Kd1Qm3QEsOkcuIW75zq6GiQE4S+jEEqKwyyVxENPN+o3+MRG3J/s3XV0hCnczueQZrEQu/
PNTm0t2d0rSlQg/Pm6Z46IpZ50UY2/CPIB3GaRT505Q4+gk15RulIQjR/4zUN/NB9P8ijo3p
4yAqhvPqDXhcigH94WH+NDsvC4+uA/90oyzRpnT1qSmReTwcmseU2mm/l6Uxl+LMtlBNTkrv
Ws9aBpFCK1j27ngIG4xdhDqNYMIwUv8C3FH6wh4nwa/o70gu4Hnr0Dezz+WZxHcg6VWyBuu0
NpBftCvwS1YLWQ3tRMnNhuok1Ulur9ocW//wby+5z7qj49AnzpxxrRXJ3rRBRFNBcHViIChQ
TEQgTGludXggRGlzdHJpYnV0aW9uIDMuMCAoVGgpKSA8dGgtYWRtaW5AcGxkLWxpbnV4Lm9y
Zz6IYAQTEQIAIAUCR7NR8AIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEK8/k7zk8bwt
hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2wepiNBEezUgYB
BADTsxN1pG5XtEcXwLayVtr1frEKNIE5ckWmKxx8040/ql+p9tzWtteRL5uAh5VbtfdQnFt4
gFoZJPsm1zMFsx9+LhV5nm5ZIowztde3vxyxCRuO90+PJy+N2DFHmIQMeuDzATN6O8VKUO2K
1yzAaMmZdPC56cEidSjg9M95v/814wARAQABtEFSU0FwdWIgKFBMRCBMaW51eCBEaXN0cmli
dXRpb24gMy4wIChUaCkpIDx0aC1hZG1pbkBwbGQtbGludXgub3JnPoi2BBMBAgAgBQJHs1IG
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQcy/f3urm+Lg8dwP7BdZCN5OTnwbwskRo
Ae4Hxs9t9hxW05maLJD5zyQTm+eL2o2uvIkzq67soB2aUVNPm0RCqnzh99BaqQSAGj4bpBcj
eFup2mhGy706QS6eaVl9cNigsfi3ehvAE5Qd5N5V12olY4Sik7q/F9MH+F/GAiPRdCpzLM2x
yBrlOB+zw5Y=
=ayIa
-----END PGP PUBLIC KEY BLOCK-----

the pubkey is available publicly from ftp:
ftp://ftp.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc


removing pubkey, made rpm -Va to succeed, importing it again, made it
fail again:

21:55:00 root[load: 0.08]@pld64 ~# rpm -e gpg-pubkey-e4f1bc2d-47b351f0

21:55:52 root[load: 0.04]@pld64 ~# rpm -Va >/dev/null

21:56:12 root[load: 0.09]@pld64 ~# rpm -q rpm
rpm-5.4.15-7.x86_64

21:56:15 root[load: 0.09]@pld64 ~# rpm --import
/etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc

21:56:21 root[load: 0.08]@pld64 ~# rpm -Va >/dev/null
error: rpmdb (h#2): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
...
--
glen
Jeffrey Johnson
2015-01-14 10:08:28 UTC
Permalink
Post by Elan Ruusamäe
Post by Jeffrey Johnson
Post by Elan Ruusamäe
error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
What package is header #123? (try rpm -Vavv which should display package names near h#123).
that #123 is pretty much every package in the system.
h#xxx starts from #2 and ends with #148. 149 packages in system, 1 fake gpg package.
http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
Post by Jeffrey Johnson
Post by Elan Ruusamäe
that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.
Removing and re-importing 0xe4f1bc2d is the 1st thing to try.
You can easily patch out the attempt to verify header signatures in 5.4.15.
Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
and whether the public key is imported or included in packages.
$ rpm -qi gpg-pubkey-e4f1bc2d-47b351f0
Name : gpg-pubkey Relocations: (not relocatable)
Version : e4f1bc2d Vendor: (none)
Release : 47b351f0 Build Date: Fri Oct 10 01:19:35 2014
Install Date: Fri Oct 10 01:19:35 2014 Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
---------------------------^^^^ Presumably this is an RSA public key.
Post by Elan Ruusamäe
Architecture: (none)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: RPM 5.4.10 (BeeCrypt)
-------------- ^^^^^^^^^^ exported by rpm-5.4.10
Post by Elan Ruusamäe
mQGiBEezUfARBACXCHHN8F35uES1o+FhB7op/804RVJw59Jv3UGDubv4x8SPHGNNb2WFLLMm
W5MUucB+VSS3Xm33U27HFfg9OaeJsSJu3b5RE+UnPTZihV5+vENdtsfIDJBOjgTcbEXYW75O
V9Qnxczx4fGUOfEU23a3q/yXXXnarjbTLRizBCJkBwCgrJvTzbDuECHrs74gm84E7unI26kD
/1Kd1Qm3QEsOkcuIW75zq6GiQE4S+jEEqKwyyVxENPN+o3+MRG3J/s3XV0hCnczueQZrEQu/
PNTm0t2d0rSlQg/Pm6Z46IpZ50UY2/CPIB3GaRT505Q4+gk15RulIQjR/4zUN/NB9P8ijo3p
4yAqhvPqDXhcigH94WH+NDsvC4+uA/90oyzRpnT1qSmReTwcmseU2mm/l6Uxl+LMtlBNTkrv
Ws9aBpFCK1j27ngIG4xdhDqNYMIwUv8C3FH6wh4nwa/o70gu4Hnr0Dezz+WZxHcg6VWyBuu0
NpBftCvwS1YLWQ3tRMnNhuok1Ulur9ocW//wby+5z7qj49AnzpxxrRXJ3rRBRFNBcHViIChQ
TEQgTGludXggRGlzdHJpYnV0aW9uIDMuMCAoVGgpKSA8dGgtYWRtaW5AcGxkLWxpbnV4Lm9y
Zz6IYAQTEQIAIAUCR7NR8AIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEK8/k7zk8bwt
hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2wepiNBEezUgYB
BADTsxN1pG5XtEcXwLayVtr1frEKNIE5ckWmKxx8040/ql+p9tzWtteRL5uAh5VbtfdQnFt4
gFoZJPsm1zMFsx9+LhV5nm5ZIowztde3vxyxCRuO90+PJy+N2DFHmIQMeuDzATN6O8VKUO2K
1yzAaMmZdPC56cEidSjg9M95v/814wARAQABtEFSU0FwdWIgKFBMRCBMaW51eCBEaXN0cmli
dXRpb24gMy4wIChUaCkpIDx0aC1hZG1pbkBwbGQtbGludXgub3JnPoi2BBMBAgAgBQJHs1IG
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQcy/f3urm+Lg8dwP7BdZCN5OTnwbwskRo
Ae4Hxs9t9hxW05maLJD5zyQTm+eL2o2uvIkzq67soB2aUVNPm0RCqnzh99BaqQSAGj4bpBcj
eFup2mhGy706QS6eaVl9cNigsfi3ehvAE5Qd5N5V12olY4Sik7q/F9MH+F/GAiPRdCpzLM2x
yBrlOB+zw5Y=
=ayIa
-----END PGP PUBLIC KEY BLOCK-----
ftp://ftp.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc
Try resigning a package with the same key and importing using rpm-5.4.15. Does that "fix"?

There were many fixes for RSA signatures in rpm-5.4.15.

These were fixes for known problems repeatedly tested with all five crypto implementations, not regressions.

The testing does not exclude a regression, but there are known incompatibilities between
rpm-5.4.15 and earlier versions of RPM with RSA signatures.

(aside)
Write a loop generating as many RSA pubkeys as you wish and sign packages
until you are confident of the RSA signatures implemented in rpm-5.4.15.

See tests/genpgp.sh for how to generate RSA key pairs

73 de Jeff
Post by Elan Ruusamäe
rpm-5.4.15-7.x86_64
error: rpmdb (h#2): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
...
--
glen
_______________________________________________
pld-devel-en mailing list
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Jan Rękorajski
2015-01-25 14:26:05 UTC
Permalink
Post by Jeffrey Johnson
Post by Elan Ruusamäe
Post by Jeffrey Johnson
Post by Elan Ruusamäe
error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
What package is header #123? (try rpm -Vavv which should display package names near h#123).
that #123 is pretty much every package in the system.
h#xxx starts from #2 and ends with #148. 149 packages in system, 1 fake gpg package.
http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
Post by Jeffrey Johnson
Post by Elan Ruusamäe
that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.
Removing and re-importing 0xe4f1bc2d is the 1st thing to try.
You can easily patch out the attempt to verify header signatures in 5.4.15.
Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
and whether the public key is imported or included in packages.
$ rpm -qi gpg-pubkey-e4f1bc2d-47b351f0
Name : gpg-pubkey Relocations: (not relocatable)
Version : e4f1bc2d Vendor: (none)
Release : 47b351f0 Build Date: Fri Oct 10 01:19:35 2014
Install Date: Fri Oct 10 01:19:35 2014 Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
---------------------------^^^^ Presumably this is an RSA public key.
Post by Elan Ruusamäe
Architecture: (none)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: RPM 5.4.10 (BeeCrypt)
-------------- ^^^^^^^^^^ exported by rpm-5.4.10
[...]
Post by Jeffrey Johnson
Try resigning a package with the same key and importing using rpm-5.4.15. Does that "fix"?
No, packages signed with 5.4.15 also fail to verify with it.
The following command is used to sign packages:

rpm --resign --define '_signature gpg' --define '_gpg_name e4f1bc2d' files

So, that's not a problem of our setup, from my perspective it looks like
5.4.15 has broken RSA sig verification, can you look into it?
Post by Jeffrey Johnson
There were many fixes for RSA signatures in rpm-5.4.15.
These were fixes for known problems repeatedly tested with all five crypto implementations, not regressions.
The testing does not exclude a regression, but there are known incompatibilities between
rpm-5.4.15 and earlier versions of RPM with RSA signatures.
Can you elaborate what kind of incompatibilities we can expect?
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
Jeffrey Johnson
2015-01-25 14:38:15 UTC
Permalink
Post by Jan Rękorajski
Post by Jeffrey Johnson
Try resigning a package with the same key and importing using rpm-5.4.15. Does that "fix"?
No, packages signed with 5.4.15 also fail to verify with it.
rpm --resign --define '_signature gpg' --define '_gpg_name e4f1bc2d' files
So, that's not a problem of our setup, from my perspective it looks like
5.4.15 has broken RSA sig verification, can you look into it?
I can try to reproduce the verification failure, but I haven’t the private key.

… meanwhile there are 5 crypto implementations in rpm, compile/use
any/all of BeeCrypt/NSS/OpenSSL/libtomcrypt/libgcrypt, see where
the problem lies.
Post by Jan Rękorajski
Post by Jeffrey Johnson
There were many fixes for RSA signatures in rpm-5.4.15.
These were fixes for known problems repeatedly tested with all five crypto implementations, not regressions.
The testing does not exclude a regression, but there are known incompatibilities between
rpm-5.4.15 and earlier versions of RPM with RSA signatures.
Can you elaborate what kind of incompatibilities we can expect?
Fingerprints were miscalculated for V4 RSA pubkeys, MPI lengths
were incorrect for RSA keys/signatures that happened to have 8 leasing
zero bits, bit counts in RSA private keys were added (which affects fingerprints),
for starters.

73 de Jeff
Post by Jan Rękorajski
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org <http://pld-linux.org/> | http://www.pld-linux.org/ <http://www.pld-linux.org/>
_______________________________________________
pld-devel-en mailing list
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en <http://lists.pld-linux.org/mailman/listinfo/pld-devel-en>
Elan Ruusamäe
2015-02-10 20:46:44 UTC
Permalink
Post by Elan Ruusamäe
error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
so, what's our fix for pld? this regression is ugly!

if not going to fix this, at least put assert(1!=0) so end users won't
be confused like rpm db is corrupted,
as if you are going to do rpm repair with that rpm 5.4.15, things will
get very worse.
--
glen
Jeffrey Johnson
2015-02-10 22:40:02 UTC
Permalink
Post by Elan Ruusamäe
Post by Elan Ruusamäe
error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
so, what's our fix for pld? this regression is ugly!
So disable header signature verification in lib/verify.c. The behavior is relatively
new and has been disabled before.
Post by Elan Ruusamäe
if not going to fix this, at least put assert(1!=0) so end users won't be confused like rpm db is corrupted,
I can’t fix what I cannot reproduce.

For starters, that is an RSA. not a DSA key, when looked up on key servers.
Post by Elan Ruusamäe
as if you are going to do rpm repair with that rpm 5.4.15, things will get very worse.
So disable signature checking on retrieved headers using rpm -Va in lib/verify.c and be happy.

73 de Jeff
Post by Elan Ruusamäe
--
glen
_______________________________________________
pld-devel-en mailing list
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Elan Ruusamäe
2015-02-11 10:10:30 UTC
Permalink
Post by Jeffrey Johnson
I can’t fix what I cannot reproduce.
as i see it, you do not want to reproduce it. i gave you links to vm's,
did you even download them?
--
glen
Jeffrey Johnson
2015-02-11 13:23:49 UTC
Permalink
Post by Jeffrey Johnson
I can’t fix what I cannot reproduce.
as i see it, you do not want to reproduce it. i gave you links to vm's, did you even download them?
You gave me a link to the pubkey
ftp://ftp.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc
and the rpm -Vavv output
http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
That is insufficient information to diagnose your problem.

DIsable the header signature checking with rpm -Va by removing the lines below in lib/verify.c



73 de Jeff

===========================================
/* Verify header digest/signature. */
if (qva->qva_flags & (VERIFY_DIGEST | VERIFY_SIGNATURE))
{
const char * horigin = headerGetOrigin(h);
const char * msg = NULL;
size_t uhlen = 0;
void * uh = headerUnload(h, &uhlen);
int lvl = headerCheck(rpmtsDig(ts), uh, uhlen, &msg) == RPMRC_FAIL
? RPMLOG_ERR : RPMLOG_DEBUG;
rpmlog(lvl, "%s: %s\n",
(horigin ? horigin : "verify"), (msg ? msg : ""));
rpmtsCleanDig(ts);
uh = _free(uh);
msg = _free(msg);
}
Elan Ruusamäe
2015-02-11 17:48:30 UTC
Permalink
Post by Jeffrey Johnson
DIsable the header signature checking with rpm -Va by removing the lines below in lib/verify.c
73 de Jeff
===========================================
/* Verify header digest/signature. */
if (qva->qva_flags & (VERIFY_DIGEST | VERIFY_SIGNATURE))
{
const char * horigin = headerGetOrigin(h);
const char * msg = NULL;
size_t uhlen = 0;
void * uh = headerUnload(h, &uhlen);
int lvl = headerCheck(rpmtsDig(ts), uh, uhlen, &msg) == RPMRC_FAIL
? RPMLOG_ERR : RPMLOG_DEBUG;
rpmlog(lvl, "%s: %s\n",
(horigin ? horigin : "verify"), (msg ? msg : ""));
rpmtsCleanDig(ts);
uh = _free(uh);
msg = _free(msg);
}
applied this patch:
http://git.pld-linux.org/?p=packages/rpm.git;a=commitdiff;h=8b6cca9fe5a04dd48c84e7fd65fbfd177acaa1b3

now "rpm -Va >/dev/null" is silent:

# rpm -q rpm
rpm-5.4.15-10.1.x86_64
# rpm -Va >/dev/null
#

i found something weird, if i do rpm -V pkgname, the header verification
error is not printed, but rpm -Va shows the error for every package
(besides gpg-pubkey) in the system.

# for a in `rpm -qa`; do rpm -V $a; done >/dev/null
#

and:

# rpm -Va >/dev/null 2>out
# head -n 3 out
error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#4): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#5): Header V4 DSA signature: BAD, key ID e4f1bc2d
# tail -n 3 out
error: rpmdb (h#255): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#256): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#257): Header V4 DSA signature: BAD, key ID e4f1bc2d
# rpm -qa|wc -l
186
# wc -l out
177 out
--
glen
Jeffrey Johnson
2015-02-11 17:58:12 UTC
Permalink
Post by Elan Ruusamäe
Post by Jeffrey Johnson
DIsable the header signature checking with rpm -Va by removing the lines below in lib/verify.c
73 de Jeff
===========================================
/* Verify header digest/signature. */
if (qva->qva_flags & (VERIFY_DIGEST | VERIFY_SIGNATURE))
{
const char * horigin = headerGetOrigin(h);
const char * msg = NULL;
size_t uhlen = 0;
void * uh = headerUnload(h, &uhlen);
int lvl = headerCheck(rpmtsDig(ts), uh, uhlen, &msg) == RPMRC_FAIL
? RPMLOG_ERR : RPMLOG_DEBUG;
rpmlog(lvl, "%s: %s\n",
(horigin ? horigin : "verify"), (msg ? msg : ""));
rpmtsCleanDig(ts);
uh = _free(uh);
msg = _free(msg);
}
http://git.pld-linux.org/?p=packages/rpm.git;a=commitdiff;h=8b6cca9fe5a04dd48c84e7fd65fbfd177acaa1b3
Good: that's progress and identifies the code path where the problem lies.
Post by Elan Ruusamäe
# rpm -q rpm
rpm-5.4.15-10.1.x86_64
# rpm -Va >/dev/null
#
i found something weird, if i do rpm -V pkgname, the header verification error is not printed, but rpm -Va shows the error for every package (besides gpg-pubkey) in the system.
Shows WHAT error? I'm missing something here: either rpm -Va is silent (as above) or its not (as you say here)?
Which is it?

Are you compiling rpm with OPENMP? The --verify code paths are multi-threaded.
Post by Elan Ruusamäe
# for a in `rpm -qa`; do rpm -V $a; done >/dev/null
#
# rpm -Va >/dev/null 2>out
# head -n 3 out
error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#4): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#5): Header V4 DSA signature: BAD, key ID e4f1bc2d
# tail -n 3 out
error: rpmdb (h#255): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#256): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#257): Header V4 DSA signature: BAD, key ID e4f1bc2d
# rpm -qa|wc -l
186
# wc -l out
177 out
There's no need to count duplicated errors.

73 de Jeff
Post by Elan Ruusamäe
--
glen
_______________________________________________
pld-devel-en mailing list
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Elan Ruusamäe
2015-02-12 09:44:58 UTC
Permalink
Post by Jeffrey Johnson
Post by Elan Ruusamäe
i found something weird, if i do rpm -V pkgname, the header verification error is not printed, but rpm -Va shows the error for every package (besides gpg-pubkey) in the system.
Shows WHAT error? I'm missing something here: either rpm -Va is silent (as above) or its not (as you say here)?
Which is it?
i forgot "ps:", as the line starting with "i found something weird"
started new output with old version where problem was not patched out.

basically "rpm -Va |wc -l" says header errors, while "foreach $packages;
rpm -Va $package; done | wc -l" says nothing, thus rpm -V $pkgname does
not emit header errors.
Post by Jeffrey Johnson
Are you compiling rpm with OPENMP? The --verify code paths are multi-threaded.
Post by Elan Ruusamäe
Post by Elan Ruusamäe
# for a in `rpm -qa`; do rpm -V $a; done >/dev/null
#
# rpm -Va >/dev/null 2>out
# head -n 3 out
error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#4): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#5): Header V4 DSA signature: BAD, key ID e4f1bc2d
# tail -n 3 out
error: rpmdb (h#255): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#256): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#257): Header V4 DSA signature: BAD, key ID e4f1bc2d
# rpm -qa|wc -l
186
# wc -l out
177 out
--
glen
Jeffrey Johnson
2015-02-12 17:55:17 UTC
Permalink
Post by Jeffrey Johnson
Post by Elan Ruusamäe
i found something weird, if i do rpm -V pkgname, the header verification error is not printed, but rpm -Va shows the error for every package (besides gpg-pubkey) in the system.
Shows WHAT error? I'm missing something here: either rpm -Va is silent (as above) or its not (as you say here)?
Which is it?
i forgot "ps:", as the line starting with "i found something weird" started new output with old version where problem was not patched out.
basically "rpm -Va |wc -l" says header errors, while "foreach $packages; rpm -Va $package; done | wc -l" says nothing, thus rpm -V $pkgname does not emit header errors.
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.

You should also convince yourself that header signatures are verified when installing a package:

rpm -Uvv somepackage*.rpm

and examine the output.

The output will look similar to this:

D: PUB: 59625668 0E9642C7 V4 ECDSA
D: ========== ECDSA pubkey id 59625668 0e9642c7 (package)
D: devtool-sanity/devtool-sanity-1.0-1.noarch.rpm: Header V4 ECDSA/SHA256 signature: OK, key ID 0e9642c7

Verifying that header signatures are verified while installing SHOULD also confirm that the flaw
is with rpm -Va, not with RSA.
Post by Jeffrey Johnson
Are you compiling rpm with OPENMP? The --verify code paths are multi-threaded.
OPENMP is used if available when building. The top level Makefile will have this:

$ grep OPENMP Makefile
OPENMP_CFLAGS = -fopenmp
OPENMP_CXXFLAGS = -fopenmp
AM_CFLAGS = $(OPENMP_CFLAGS)

73 de Jeff
Elan Ruusamäe
2015-02-13 08:17:18 UTC
Permalink
Post by Jeffrey Johnson
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.
i'm surprised that rpm -Va and rpm -V $pkgname use different codepath.
so you're saying that (with my current package patch) header
verification is disabled for both? (as no header verification errors are
printed).
Post by Jeffrey Johnson
rpm -Uvv somepackage*.rpm
but rpm -Uhv $pkg.rpm does not emit header errors. or the extra -v is
needed to see them? and does my patch that i applied disables it or you
are talking about current state of pld package (where the patch is applied)?
--
glen
Jeffrey Johnson
2015-02-13 15:06:36 UTC
Permalink
Post by Jeffrey Johnson
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.
i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
with pubkey retrieval to minimize network/rpmdb access.

Yes the patch disables header signature verification for both rpm -V and rpm -Va.
Post by Jeffrey Johnson
rpm -Uvv somepackage*.rpm
but rpm -Uhv $pkg.rpm does not emit header errors. or the extra -v is needed to see them?
The extra -v is needed to see the 3 lines I gave you, —nosignatures/—nodigests disables
verification. You know this ;-)
and does my patch that i applied disables it or you are talking about current state of pld package (where the patch is applied)?
I gave you a means to verify that RSA for your existing Th pubkey isn’t broken (as
you have been claiming).

Every installed package has had the header signature verified. The patch I gave you
disables verification as a work around until I can find a reproducer for whatever the
issue is and “fix”.

73 de Jeff
--
glen
_______________________________________________
pld-devel-en mailing list
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Jeffrey Johnson
2015-02-14 18:21:45 UTC
Permalink
Post by Jeffrey Johnson
Post by Jeffrey Johnson
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.
i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
with pubkey retrieval to minimize network/rpmdb access.
Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
the patch came from, perhaps PLD or ROSA).

The issue is/was resetting stateful variables when more than one pubkey is present. Which
explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
but "rpm -Va" doesn't.

73 de Jeff

Index: rpmhkp.c
===================================================================
RCS file: /v/rpm/cvs/rpm/rpmio/rpmhkp.c,v
retrieving revision 2.20.2.9
diff -p -u -w -r2.20.2.9 rpmhkp.c
--- rpmhkp.c 11 Oct 2014 12:56:41 -0000 2.20.2.9
+++ rpmhkp.c 14 Feb 2015 18:15:36 -0000
@@ -916,14 +916,6 @@ te = t = tbuf;

HKPDEBUG((stderr, "--> %s(%p,%s)\n", __FUNCTION__, hkp, keyname));

- /* Reset temporary variables*/
- hkp->pubx = -1;
- hkp->uidx = -1;
- hkp->subx = -1;
- hkp->sigx = -1;
- hkp->tvalid = 0;
- hkp->uvalidx = -1;
-
/* Do a lazy lookup before validating. */
if (hkp == NULL && keyname && *keyname) {
if ((hkp = rpmhkpLookup(keyname)) == NULL) {
@@ -934,6 +926,14 @@ HKPDEBUG((stderr, "--> %s(%p,%s)\n", __F
if ((hkp = rpmhkpLink(hkp)) == NULL)
return rc;

+ /* Reset temporary variables*/
+ hkp->pubx = -1;
+ hkp->uidx = -1;
+ hkp->subx = -1;
+ hkp->sigx = -1;
+ hkp->tvalid = 0;
+ hkp->uvalidx = -1;
+
SUM.certs++;
assert(hkp->pkts);
Jan Rękorajski
2015-02-15 09:35:48 UTC
Permalink
Post by Jeffrey Johnson
Post by Jeffrey Johnson
Post by Jeffrey Johnson
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.
i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
with pubkey retrieval to minimize network/rpmdb access.
Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
the patch came from, perhaps PLD or ROSA).
The issue is/was resetting stateful variables when more than one pubkey is present. Which
explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
but "rpm -Va" doesn't.
We have similar patch already applied (from Mandriva), this doesn't fix
anything. Also disabling openmp doesn't fix anything.
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
Jan Rękorajski
2015-02-15 10:00:40 UTC
Permalink
Post by Jan Rękorajski
Post by Jeffrey Johnson
Post by Jeffrey Johnson
Post by Jeffrey Johnson
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.
i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
with pubkey retrieval to minimize network/rpmdb access.
Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
the patch came from, perhaps PLD or ROSA).
The issue is/was resetting stateful variables when more than one pubkey is present. Which
explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
but "rpm -Va" doesn't.
We have similar patch already applied (from Mandriva), this doesn't fix
anything. Also disabling openmp doesn't fix anything.
Debug run for a random package. No key verification disabling hacks applied.
It looks like you're loosing DSA key somewhere.

# rpm -Vvv issue
D: pool fd: created size 392 limit -1 flags 0
D: pool iob: created size 48 limit -1 flags 0
D: pool mire: created size 136 limit -1 flags 0
D: pool lua: created size 64 limit -1 flags 0
D: pool ts: created size 1200 limit -1 flags 0
D: pool gi: created size 176 limit -1 flags 0
D: pool db: created size 328 limit -1 flags 0
D: pool dbi: created size 472 limit -1 flags 0
D: rpmdb: cpus 4 physmem 7956Mb
D: opening db environment /var/lib/rpm/Packages thread:lock:log:mpool:txn
D: opening db index /var/lib/rpm/Packages thread:rdonly:auto_commit mode=0x0
D: opening db index /var/lib/rpm/Nvra thread:rdonly:auto_commit mode=0x0
D: pool mi: created size 152 limit -1 flags 0
D: pool h: created size 360 limit -1 flags 0
D: pool fi: created size 560 limit -1 flags 0
D: pool dig: created size 424 limit -1 flags 0
D: pool ctx: created size 112 limit -1 flags 0
D: pool bf: created size 56 limit -1 flags 0
D: pool hkp: created size 128 limit -1 flags 0
D: opening db index /var/lib/rpm/Pubkeys thread:rdonly:auto_commit mode=0x0
D: PUB: AF3F93BC E4F1BC2D V4 DSA
D: SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D: PUB: 732FDFDE EAE6F8B8 V4 RSA
D: SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
D: UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-***@pld-linux.org>
D: pool u: created size 288 limit -1 flags 0

<
a very long wait here, +10 for trying to connect to
non-working keyservers, a.k.a. hkp://keys.rpm5.org

Disabling keyserver lookup only removes the delay,
key veryfication still fails.
D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#4283454898[0])
error: rpmdb (h#4283454157): Header V4 DSA signature: BAD, key ID e4f1bc2d
........ c /etc/issue
........ c /etc/issue.net
D: pool tsi: created size 48 limit -1 flags 0
D: pool te: created size 368 limit -1 flags 0
D: pool ds: created size 232 limit -1 flags 0
D: pool al: created size 64 limit -1 flags 0
D: ========== +++ issue-3.0-6.noarch noarch/linux 0x0
D: pool ps: created size 40 limit -1 flags 0
D: opening db index /var/lib/rpm/Providename thread:rdonly:auto_commit mode=0x0
D: Requires: pld-release = 3.0 YES (db provides)
D: Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1 YES (rpmlib provides)
D: Conflicts: issue-alpha < 3.0-1 NO
D: Conflicts: issue-fancy < 3.0-1 NO
D: Conflicts: issue-logo < 3.0-1 NO
D: Conflicts: issue-nice < 3.0-1 NO
D: Conflicts: issue-pure < 3.0-1 NO
D: opening db index /var/lib/rpm/Filepaths thread:rdonly:auto_commit mode=0x0
D: Dirs: /etc YES (db files)
D: opening db index /var/lib/rpm/Conflictname thread:rdonly:auto_commit mode=0x0
D: Conflicts: issue < 3.0-1 NO
D: closed db index /var/lib/rpm/Filepaths
D: closed db index /var/lib/rpm/Nvra
D: closed db index /var/lib/rpm/Pubkeys
D: closed db index /var/lib/rpm/Conflictname
D: closed db index /var/lib/rpm/Providename
D: closed db index /var/lib/rpm/Packages
D: closed db environment /var/lib/rpm/Packages
D: pool gi: reused 0, alloc'd 1, free'd 1 items.
D: pool mi: reused 11, alloc'd 3, free'd 3 items.
D: pool tsi: reused 11, alloc'd 1, free'd 1 items.
D: pool ts: reused 0, alloc'd 1, free'd 1 items.
D: pool te: reused 0, alloc'd 1, free'd 1 items.
D: pool ps: reused 0, alloc'd 1, free'd 1 items.
D: pool al: reused 0, alloc'd 1, free'd 1 items.
D: pool ds: reused 24, alloc'd 14, free'd 14 items.
D: pool fi: reused 0, alloc'd 2, free'd 2 items.
D: pool db: reused 0, alloc'd 1, free'd 1 items.
D: pool dbi: reused 0, alloc'd 6, free'd 6 items.
D: pool h: reused 3, alloc'd 3, free'd 3 items.
D: pool lua: reused 0, alloc'd 1, free'd 1 items.
D: pool hkp: reused 0, alloc'd 2, free'd 2 items.
D: pool mire: reused 1, alloc'd 3, free'd 3 items.
D: pool bf: reused 0, alloc'd 3, free'd 3 items.
D: pool ctx: reused 7, alloc'd 2, free'd 2 items.
D: pool iob: reused 1, alloc'd 1, free'd 1 items.
D: pool dig: reused 1, alloc'd 2, free'd 2 items.
D: pool u: reused 0, alloc'd 1, free'd 1 items.
D: pool fd: reused 28, alloc'd 2, free'd 2 items.
D: exit code: 0
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
Jeffrey Johnson
2015-02-15 18:10:45 UTC
Permalink
Post by Jan Rękorajski
Post by Jan Rękorajski
Post by Jeffrey Johnson
Post by Jeffrey Johnson
Post by Jeffrey Johnson
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.
i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
with pubkey retrieval to minimize network/rpmdb access.
Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
the patch came from, perhaps PLD or ROSA).
The issue is/was resetting stateful variables when more than one pubkey is present. Which
explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
but "rpm -Va" doesn't.
We have similar patch already applied (from Mandriva), this doesn't fix
anything. Also disabling openmp doesn't fix anything.
Debug run for a random package. No key verification disabling hacks applied.
It looks like you're loosing DSA key somewhere.
# rpm -Vvv issue
D: pool fd: created size 392 limit -1 flags 0
D: pool iob: created size 48 limit -1 flags 0
D: pool mire: created size 136 limit -1 flags 0
D: pool lua: created size 64 limit -1 flags 0
D: pool ts: created size 1200 limit -1 flags 0
D: pool gi: created size 176 limit -1 flags 0
D: pool db: created size 328 limit -1 flags 0
D: pool dbi: created size 472 limit -1 flags 0
D: rpmdb: cpus 4 physmem 7956Mb
D: opening db environment /var/lib/rpm/Packages thread:lock:log:mpool:txn
D: opening db index /var/lib/rpm/Packages thread:rdonly:auto_commit mode=0x0
D: opening db index /var/lib/rpm/Nvra thread:rdonly:auto_commit mode=0x0
D: pool mi: created size 152 limit -1 flags 0
D: pool h: created size 360 limit -1 flags 0
D: pool fi: created size 560 limit -1 flags 0
D: pool dig: created size 424 limit -1 flags 0
D: pool ctx: created size 112 limit -1 flags 0
D: pool bf: created size 56 limit -1 flags 0
D: pool hkp: created size 128 limit -1 flags 0
D: opening db index /var/lib/rpm/Pubkeys thread:rdonly:auto_commit mode=0x0
D: PUB: AF3F93BC E4F1BC2D V4 DSA
D: SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D: PUB: 732FDFDE EAE6F8B8 V4 RSA
D: SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
I am confused by the UID here: is this a RSA or a DSA key? It looks like a DSA key
signed by itself as well as a RSA positive certification and UID binding signature.

I've been looking for RSA issues: I'm even more surprised at a regression with DSA.

But I'm not too surprised that more complicated key structures may be causing issues.
Originally rpm saved only the 1st packet of a pubkey containing the key material. In order
to attach/deisplay a UID, the binding signature is verified, and the entire pubkey, with all certifications,
is now saved in an rpmdb. This is another change in rpm-5.4.15

Try using gnupg to edit the 0xE4F1BC2D pubkey, and strip out everything but the self
signed positive certification, and export/import into an rpmdb. See if that verifies.

There should be no network hkp access if you have imported the needed pubkeys correctly.
Post by Jan Rękorajski
D: pool u: created size 288 limit -1 flags 0
<
a very long wait here, +10 for trying to connect to
non-working keyservers, a.k.a. hkp://keys.rpm5.org
So some pubkey needed for verification is not imported because HKP is attempting a lookup.

Yes you need to configure a better key server than keys.rpm5.org if expecting reasonable response service.
Post by Jan Rękorajski
Disabling keyserver lookup only removes the delay,
key veryfication still fails.
D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#4283454898[0])
error: rpmdb (h#4283454157): Header V4 DSA signature: BAD, key ID e4f1bc2d
........ c /etc/issue
........ c /etc/issue.net
D: pool tsi: created size 48 limit -1 flags 0
D: pool te: created size 368 limit -1 flags 0
D: pool ds: created size 232 limit -1 flags 0
D: pool al: created size 64 limit -1 flags 0
D: ========== +++ issue-3.0-6.noarch noarch/linux 0x0
D: pool ps: created size 40 limit -1 flags 0
D: opening db index /var/lib/rpm/Providename thread:rdonly:auto_commit mode=0x0
D: Requires: pld-release = 3.0 YES (db provides)
D: Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1 YES (rpmlib provides)
D: Conflicts: issue-alpha < 3.0-1 NO
D: Conflicts: issue-fancy < 3.0-1 NO
D: Conflicts: issue-logo < 3.0-1 NO
D: Conflicts: issue-nice < 3.0-1 NO
D: Conflicts: issue-pure < 3.0-1 NO
D: opening db index /var/lib/rpm/Filepaths thread:rdonly:auto_commit mode=0x0
D: Dirs: /etc YES (db files)
D: opening db index /var/lib/rpm/Conflictname thread:rdonly:auto_commit mode=0x0
D: Conflicts: issue < 3.0-1 NO
D: closed db index /var/lib/rpm/Filepaths
D: closed db index /var/lib/rpm/Nvra
D: closed db index /var/lib/rpm/Pubkeys
D: closed db index /var/lib/rpm/Conflictname
D: closed db index /var/lib/rpm/Providename
D: closed db index /var/lib/rpm/Packages
D: closed db environment /var/lib/rpm/Packages
D: pool gi: reused 0, alloc'd 1, free'd 1 items.
D: pool mi: reused 11, alloc'd 3, free'd 3 items.
D: pool tsi: reused 11, alloc'd 1, free'd 1 items.
D: pool ts: reused 0, alloc'd 1, free'd 1 items.
D: pool te: reused 0, alloc'd 1, free'd 1 items.
D: pool ps: reused 0, alloc'd 1, free'd 1 items.
D: pool al: reused 0, alloc'd 1, free'd 1 items.
D: pool ds: reused 24, alloc'd 14, free'd 14 items.
D: pool fi: reused 0, alloc'd 2, free'd 2 items.
D: pool db: reused 0, alloc'd 1, free'd 1 items.
D: pool dbi: reused 0, alloc'd 6, free'd 6 items.
D: pool h: reused 3, alloc'd 3, free'd 3 items.
D: pool lua: reused 0, alloc'd 1, free'd 1 items.
D: pool hkp: reused 0, alloc'd 2, free'd 2 items.
D: pool mire: reused 1, alloc'd 3, free'd 3 items.
D: pool bf: reused 0, alloc'd 3, free'd 3 items.
D: pool ctx: reused 7, alloc'd 2, free'd 2 items.
D: pool iob: reused 1, alloc'd 1, free'd 1 items.
D: pool dig: reused 1, alloc'd 2, free'd 2 items.
D: pool u: reused 0, alloc'd 1, free'd 1 items.
D: pool fd: reused 28, alloc'd 2, free'd 2 items.
D: exit code: 0
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
_______________________________________________
pld-devel-en mailing list
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Elan Ruusamäe
2015-02-12 09:50:40 UTC
Permalink
Post by Jeffrey Johnson
Are you compiling rpm with OPENMP? The --verify code paths are multi-threaded.
how to check?

i see nothing in our .spec matching /openmp/i except one patch:

$ git ls-files|xargs grep -i openmp
openmp.patch:+librpmio_la_LDFLAGS = -release
$(LT_CURRENT).$(LT_REVISION) $(OPENMP_CFLAGS)
openmp.patch:+dbsql_LDFLAGS = @LDFLAGS_STATIC@ $(LDFLAGS)
$(OPENMP_CFLAGS)
rpm.spec:Patch24: openmp.patch
$

repo for our rpm spec is here:
https://github.com/pld-linux/rpm
--
glen
Jeffrey Johnson
2015-02-11 13:45:46 UTC
Permalink
Post by Jeffrey Johnson
I can’t fix what I cannot reproduce.
as i see it, you do not want to reproduce it. i gave you links to vm's, did you even download them?
And you gave me this
ps: the vagrant base boxes i've conducted the above tests are available from
ftp://ftp.pld-linux.org/people/glen/vm/th/
pld64-20141009.box - rpm-5.4.14-5.x86_64
pld64-20141205.box - rpm-5.4.15-6.x86_64
with no further instructions.

I am not able to run your vm's here, nor can I meaningfully
diagnose a problem that I cannot map back to sources
in my development environment.

73 de Jeff
Elan Ruusamäe
2015-02-11 13:59:10 UTC
Permalink
Post by Jeffrey Johnson
Post by Jeffrey Johnson
I can’t fix what I cannot reproduce.
as i see it, you do not want to reproduce it. i gave you links to vm's, did you even download them?
And you gave me this
ps: the vagrant base boxes i've conducted the above tests are available from
ftp://ftp.pld-linux.org/people/glen/vm/th/
pld64-20141009.box - rpm-5.4.14-5.x86_64
pld64-20141205.box - rpm-5.4.15-6.x86_64
with no further instructions.
I am not able to run your vm's here, nor can I meaningfully
diagnose a problem that I cannot map back to sources
in my development environment.
https://www.google.ee/search?q=vagrant

if for some reason vagrant or virtualbox is out of question,
you can covert to qemu format these. more info:
https://www.pld-linux.org/people/glen/vm-info
--
glen
Jeffrey Johnson
2015-02-11 14:06:21 UTC
Permalink
Post by Elan Ruusamäe
Post by Jeffrey Johnson
Post by Jeffrey Johnson
I can’t fix what I cannot reproduce.
as i see it, you do not want to reproduce it. i gave you links to vm's, did you even download them?
And you gave me this
ps: the vagrant base boxes i've conducted the above tests are available from
ftp://ftp.pld-linux.org/people/glen/vm/th/
pld64-20141009.box - rpm-5.4.14-5.x86_64
pld64-20141205.box - rpm-5.4.15-6.x86_64
with no further instructions.
I am not able to run your vm's here, nor can I meaningfully
diagnose a problem that I cannot map back to sources
in my development environment.
https://www.google.ee/search?q=vagrant
if for some reason vagrant or virtualbox is out of question,
https://www.pld-linux.org/people/glen/vm-info
I know what both vagrant and qemu are.

I run VMFusion on Mac OS X in my development environment.

Meanwhile -- as a developer -- I need to to be able to build from source
and diagnose/repair the problem. I cannot do that from a pile of vm bits in
either vagrant nor qemu format.

I do not doubt what you are seeing. I have suggested a workaround (removing
the header signature check) in order to start identifying where the problem lies.

Have you tried removing the header signature check?

Does the problem go away or not?

73 de Jeff
Post by Elan Ruusamäe
--
glen
_______________________________________________
pld-devel-en mailing list
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
Elan Ruusamäe
2015-02-11 17:51:36 UTC
Permalink
Post by Jeffrey Johnson
Meanwhile -- as a developer -- I need to to be able to build from source
and diagnose/repair the problem. I cannot do that from a pile of vm bits in
either vagrant nor qemu format.
yes you can. you can boot to vm, install development tools there and
rebuild pld's rpm.

which probably something like:
login with root/pld
poldek -u rpm-build-tools
builder --init-rpm-dir
builder -bb rpm
poldek -u more-missing-deps
repeat builder command
--
glen
Jeffrey Johnson
2015-02-11 18:27:03 UTC
Permalink
Post by Jeffrey Johnson
Meanwhile -- as a developer -- I need to to be able to build from source
and diagnose/repair the problem. I cannot do that from a pile of vm bits in
either vagrant nor qemu format.
yes you can. you can boot to vm, install development tools there and rebuild pld's rpm.
login with root/pld
poldek -u rpm-build-tools
builder --init-rpm-dir
builder -bb rpm
poldek -u more-missing-deps
repeat builder command
Sure I can do all of the above: its several days work to get there and is essentially
the same as switching my development platform to a different linux distro.

My build starts with a cvs checkout, and invokes ./devtool with a set of options
so that I can bore into a reproducible problem with "make -C tests test".

I can't do distro-of-the-day linux development. If there is a "regression" in rpm-5.4.15 as you
claim, it will be all platforms, not just PLD.


73 de Jeff
Elan Ruusamäe
2015-02-12 09:46:10 UTC
Permalink
Post by Jeffrey Johnson
I can't do distro-of-the-day linux development. If there is a "regression" in rpm-5.4.15 as you
claim, it will be all platforms, not just PLD.
in that case, you have our rpms and the pubkey we use to sign. if not,
then can give them again. just ask.
--
glen
Elan Ruusamäe
2015-02-11 10:13:10 UTC
Permalink
Post by Jeffrey Johnson
Post by Elan Ruusamäe
Post by Elan Ruusamäe
error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
so, what's our fix for pld? this regression is ugly!
So disable header signature verification in lib/verify.c. The behavior is relatively
new and has been disabled before.
i do not see what to disable, there are no functional changes since
5.4.14 to the file you point out

--- ../BUILD.x86_64-linux/rpm-5.4.14/lib/verify.c 2015-02-11
12:09:16.006002736 +0200
+++ ../BUILD.x86_64-linux/rpm-5.4.15/lib/verify.c 2015-02-11
12:07:41.927799212 +0200
@@ -182,7 +182,7 @@
/** \ingroup rpmcli
* Verify file attributes (including file digest).
* @param vf file data to verify
- * #param spew should verify results be printed?
+ * @param spew should verify results be printed?
* @return 0 on success (or not installed), 1 on error
*/
static int rpmvfVerify(rpmvf vf, int spew)
@@ -597,7 +597,6 @@
continue;

/* If not verifying %ghost, skip ghost files. */
- /* XXX the broken!!! logic disables %ghost queries always. */
if (FF_ISSET(qva->qva_fflags, GHOST) && FF_ISSET(fflags, GHOST))
continue;

(END)
--
glen
Loading...