rpm -Va BAD, key ID

Jeffrey Johnson n3npq at me.com
Sun Feb 15 19:10:45 CET 2015 

On Feb 15, 2015, at 5:00 AM, Jan Rękorajski wrote:

> On Sun, 15 Feb 2015, Jan Rękorajski wrote:
> 
>> On Sat, 14 Feb 2015, Jeffrey Johnson wrote:
>> 
>>> 
>>> On Feb 13, 2015, at 10:06 AM, Jeffrey Johnson wrote:
>>> 
>>>> 
>>>>> On Feb 13, 2015, at 3:17 AM, Elan Ruusamäe <glen at pld-linux.org> wrote:
>>>>> 
>>>>> On 12.02.2015 19:55, Jeffrey Johnson wrote:
>>>>>> OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
>>>>>> and also have an alternative means to verify header signatures using a shell loop.
>>>>> i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
>>>>> 
>>>> 
>>>> They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
>>>> with pubkey retrieval to minimize network/rpmdb access.
>>>> 
>>> 
>>> Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
>>> the patch came from, perhaps PLD or ROSA).
>>> 
>>> The issue is/was resetting stateful variables when more than one pubkey is present. Which
>>> explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
>>> but "rpm -Va" doesn't.
>> 
>> We have similar patch already applied (from Mandriva), this doesn't fix
>> anything. Also disabling openmp doesn't fix anything.
> 
> Debug run for a random package. No key verification disabling hacks applied.
> It looks like you're loosing DSA key somewhere.
> 
> # rpm -Vvv issue
> D: pool fd:	created size 392 limit -1 flags 0
> D: pool iob:	created size 48 limit -1 flags 0
> D: pool mire:	created size 136 limit -1 flags 0
> D: pool lua:	created size 64 limit -1 flags 0
> D: pool ts:	created size 1200 limit -1 flags 0
> D: pool gi:	created size 176 limit -1 flags 0
> D: pool db:	created size 328 limit -1 flags 0
> D: pool dbi:	created size 472 limit -1 flags 0
> D: rpmdb: cpus 4 physmem 7956Mb
> D: opening  db environment /var/lib/rpm/Packages thread:lock:log:mpool:txn
> D: opening  db index       /var/lib/rpm/Packages thread:rdonly:auto_commit mode=0x0
> D: opening  db index       /var/lib/rpm/Nvra thread:rdonly:auto_commit mode=0x0
> D: pool mi:	created size 152 limit -1 flags 0
> D: pool h:	created size 360 limit -1 flags 0
> D: pool fi:	created size 560 limit -1 flags 0
> D: pool dig:	created size 424 limit -1 flags 0
> D: pool ctx:	created size 112 limit -1 flags 0
> D: pool bf:	created size 56 limit -1 flags 0
> D: pool hkp:	created size 128 limit -1 flags 0
> D: opening  db index       /var/lib/rpm/Pubkeys thread:rdonly:auto_commit mode=0x0
> D:   PUB: AF3F93BC E4F1BC2D V4 DSA
> D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
> D:   PUB: 732FDFDE EAE6F8B8 V4 RSA
> D:   SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
> D:   UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>

I am confused by the UID here: is this a RSA or a DSA key? It looks like a DSA key
signed by  itself as well as a RSA positive certification and UID binding signature.

I've been looking for RSA issues: I'm even more surprised at a regression with DSA.

But I'm not too surprised that more complicated key structures may be causing issues.
Originally rpm saved only the 1st packet of a pubkey containing the key material. In order
to attach/deisplay a UID, the binding signature is verified, and the entire pubkey, with all certifications,
is now saved in an rpmdb. This is another change in rpm-5.4.15

Try using gnupg to edit the 0xE4F1BC2D pubkey, and strip out everything but the self
signed positive certification, and export/import into an rpmdb. See if that verifies.

There should be no network hkp access if you have imported the needed pubkeys correctly.

> D: pool u:	created size 288 limit -1 flags 0
> 
> <
> a very long wait here, +10 for trying to connect to
> non-working keyservers, a.k.a. hkp://keys.rpm5.org
> 

So some pubkey needed for verification is not imported because HKP is attempting a lookup.

Yes you need to configure a better key server than keys.rpm5.org if expecting reasonable response service.

> Disabling keyserver lookup only removes the delay,
> key veryfication still fails.
>> 
> 
> D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#4283454898[0])
> error: rpmdb (h#4283454157): Header V4 DSA signature: BAD, key ID e4f1bc2d
> ........  c /etc/issue
> ........  c /etc/issue.net
> D: pool tsi:	created size 48 limit -1 flags 0
> D: pool te:	created size 368 limit -1 flags 0
> D: pool ds:	created size 232 limit -1 flags 0
> D: pool al:	created size 64 limit -1 flags 0
> D: ========== +++ issue-3.0-6.noarch noarch/linux 0x0
> D: pool ps:	created size 40 limit -1 flags 0
> D: opening  db index       /var/lib/rpm/Providename thread:rdonly:auto_commit mode=0x0
> D:  Requires: pld-release = 3.0                             YES (db provides)
> D:  Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1              YES (rpmlib provides)
> D: Conflicts: issue-alpha < 3.0-1                           NO  
> D: Conflicts: issue-fancy < 3.0-1                           NO  
> D: Conflicts: issue-logo < 3.0-1                            NO  
> D: Conflicts: issue-nice < 3.0-1                            NO  
> D: Conflicts: issue-pure < 3.0-1                            NO  
> D: opening  db index       /var/lib/rpm/Filepaths thread:rdonly:auto_commit mode=0x0
> D:      Dirs: /etc                                          YES (db files)
> D: opening  db index       /var/lib/rpm/Conflictname thread:rdonly:auto_commit mode=0x0
> D: Conflicts: issue < 3.0-1                                 NO  
> D: closed   db index       /var/lib/rpm/Filepaths
> D: closed   db index       /var/lib/rpm/Nvra
> D: closed   db index       /var/lib/rpm/Pubkeys
> D: closed   db index       /var/lib/rpm/Conflictname
> D: closed   db index       /var/lib/rpm/Providename
> D: closed   db index       /var/lib/rpm/Packages
> D: closed   db environment /var/lib/rpm/Packages
> D: pool gi:	reused 0, alloc'd 1, free'd 1 items.
> D: pool mi:	reused 11, alloc'd 3, free'd 3 items.
> D: pool tsi:	reused 11, alloc'd 1, free'd 1 items.
> D: pool ts:	reused 0, alloc'd 1, free'd 1 items.
> D: pool te:	reused 0, alloc'd 1, free'd 1 items.
> D: pool ps:	reused 0, alloc'd 1, free'd 1 items.
> D: pool al:	reused 0, alloc'd 1, free'd 1 items.
> D: pool ds:	reused 24, alloc'd 14, free'd 14 items.
> D: pool fi:	reused 0, alloc'd 2, free'd 2 items.
> D: pool db:	reused 0, alloc'd 1, free'd 1 items.
> D: pool dbi:	reused 0, alloc'd 6, free'd 6 items.
> D: pool h:	reused 3, alloc'd 3, free'd 3 items.
> D: pool lua:	reused 0, alloc'd 1, free'd 1 items.
> D: pool hkp:	reused 0, alloc'd 2, free'd 2 items.
> D: pool mire:	reused 1, alloc'd 3, free'd 3 items.
> D: pool bf:	reused 0, alloc'd 3, free'd 3 items.
> D: pool ctx:	reused 7, alloc'd 2, free'd 2 items.
> D: pool iob:	reused 1, alloc'd 1, free'd 1 items.
> D: pool dig:	reused 1, alloc'd 2, free'd 2 items.
> D: pool u:	reused 0, alloc'd 1, free'd 1 items.
> D: pool fd:	reused 28, alloc'd 2, free'd 2 items.
> D: exit code: 0
> 
> 
> -- 
> Jan Rękorajski                    | PLD/Linux
> SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list