rpm5 package verification and md5sum of config files

Jan Rękorajski baggins at pld-linux.org
Mon Oct 22 12:44:45 CEST 2012 

On Sun, 21 Oct 2012, Adam Osuchowski wrote:

> Jan Rękorajski wrote:
> > I'm afraid your patch doesn't work for me, I'm still getting bad md5
> > for config files:
> > 
> > $ rpm -V wget
> > ..5.....  c /etc/wgetrc
> > 
> > Am I missing something?
> 
> Ok, I made investigation one more time and probably know what happened.
> 
> The patch I sent is against build/files.c file which is part of rpmbuild
> and fixes the problem by changing verify flags (placed in package file)
> during package building. Only fresh built (by fixed rpmbuild) package
> would be verified correctly even on buggy rpm. I forgot to tell about it
> because I tested various scenarios and they all mixed up.
> 
> So, once again: patch for build/files.c fixes package building process
> only and would work if all packages in repo were been rebuilt (I don't
> think RM will accede to this).
> 
> In attachment, there is another patch, just for verification process.
> It disables use of hmac during digest calculation entirely. Since in
> rpm package files there are included plain md5sums, hmac support is
> useless. I personally don't know what advantages does hmac digest have
> over plain digest in case of files integrity verification against package
> database (especially as the hmac key is constant and hardcoded in rpm
> sources).
> 
> So, to sum up: there are two ways to fix problem of reporting false
> md5sum differences during packages verification:
> * first, fix the building process and remain with hmac digests, but *ALL*
>   packages in repo should be rebuilt,

Rebuilding ~8500 packages is not an option, unfortunately :(

> * second, fix the verification process only, drop hmac support and do it
>   the good old way.

Quick question, does passing '--nohmacs' option give the same effect as
your patch to lib/verify.c? In that case we could just make it default
and add '--hmacs' option.

-- 
Jan Rękorajski                                 | PLD/Linux
SysAdm                                         | http://www.pld-linux.org/
baggins<at>mimuw.edu.pl
baggins<at>pld-linux.org

More information about the pld-devel-en mailing list