rpm -Va BAD, key ID
Jeffrey Johnson
n3npq at me.com
Thu Feb 12 18:55:17 CET 2015
On Feb 12, 2015, at 4:44 AM, Elan Ruusamäe wrote:
> On 11.02.2015 19:58, Jeffrey Johnson wrote:
>>> i found something weird, if i do rpm -V pkgname, the header verification error is not printed, but rpm -Va shows the error for every package (besides gpg-pubkey) in the system.
>>> >
>> Shows WHAT error? I'm missing something here: either rpm -Va is silent (as above) or its not (as you say here)?
>> Which is it?
> i forgot "ps:", as the line starting with "i found something weird" started new output with old version where problem was not patched out.
>
> basically "rpm -Va |wc -l" says header errors, while "foreach $packages; rpm -Va $package; done | wc -l" says nothing, thus rpm -V $pkgname does not emit header errors.
>
OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.
You should also convince yourself that header signatures are verified when installing a package:
rpm -Uvv somepackage*.rpm
and examine the output.
The output will look similar to this:
D: PUB: 59625668 0E9642C7 V4 ECDSA
D: ========== ECDSA pubkey id 59625668 0e9642c7 (package)
D: devtool-sanity/devtool-sanity-1.0-1.noarch.rpm: Header V4 ECDSA/SHA256 signature: OK, key ID 0e9642c7
Verifying that header signatures are verified while installing SHOULD also confirm that the flaw
is with rpm -Va, not with RSA.
>>
>> Are you compiling rpm with OPENMP? The --verify code paths are multi-threaded.
>>
OPENMP is used if available when building. The top level Makefile will have this:
$ grep OPENMP Makefile
OPENMP_CFLAGS = -fopenmp
OPENMP_CXXFLAGS = -fopenmp
AM_CFLAGS = $(OPENMP_CFLAGS)
73 de Jeff
More information about the pld-devel-en
mailing list