rpm5 package verification and md5sum of config files

Adam Osuchowski adwol at zonk.pl
Sun Oct 21 20:12:03 CEST 2012 

Jan Rękorajski wrote:
> I'm afraid your patch doesn't work for me, I'm still getting bad md5
> for config files:
> 
> $ rpm -V wget
> ..5.....  c /etc/wgetrc
> 
> Am I missing something?

Ok, I made investigation one more time and probably know what happened.

The patch I sent is against build/files.c file which is part of rpmbuild
and fixes the problem by changing verify flags (placed in package file)
during package building. Only fresh built (by fixed rpmbuild) package
would be verified correctly even on buggy rpm. I forgot to tell about it
because I tested various scenarios and they all mixed up.

So, once again: patch for build/files.c fixes package building process
only and would work if all packages in repo were been rebuilt (I don't
think RM will accede to this).

In attachment, there is another patch, just for verification process.
It disables use of hmac during digest calculation entirely. Since in
rpm package files there are included plain md5sums, hmac support is
useless. I personally don't know what advantages does hmac digest have
over plain digest in case of files integrity verification against package
database (especially as the hmac key is constant and hardcoded in rpm
sources).

So, to sum up: there are two ways to fix problem of reporting false
md5sum differences during packages verification:
* first, fix the building process and remain with hmac digests, but *ALL*
  packages in repo should be rebuilt,
* second, fix the verification process only, drop hmac support and do it
  the good old way.

IMHO, first method is more elegant but is more difficult and it's not
worth it.
-------------- next part --------------
--- rpm-5.4.10.orig/lib/verify.c	2012-07-06 17:39:16.000000000 +0200
+++ rpm-5.4.10/lib/verify.c	2012-10-21 19:35:08.610708732 +0200
@@ -261,11 +261,7 @@
 	    unsigned char * fdigest = (unsigned char *)
 			memset(alloca(vf->dlen), 0, vf->dlen);
 	    size_t fsize = 0;
-#define	_mask	(RPMVERIFY_FDIGEST|RPMVERIFY_HMAC)
-	    unsigned dflags = (vf->vflags & _mask) == RPMVERIFY_HMAC
-		? 0x2 : 0x0;
-#undef	_mask
-	    int rc = dodigest(vf->dalgo, vf->fn, fdigest, dflags, &fsize);
+	    int rc = dodigest(vf->dalgo, vf->fn, fdigest, 0, &fsize);
 	    sb.st_size = fsize;
 	    if (rc) {
 		VF_SET(res, READFAIL);

More information about the pld-devel-en mailing list