rpm -Va BAD, key ID

Jeffrey Johnson n3npq at me.com
Thu Feb 12 18:55:17 CET 2015

On Feb 12, 2015, at 4:44 AM, Elan Ruusamäe wrote:

> On 11.02.2015 19:58, Jeffrey Johnson wrote:
>>> i found something weird, if i do rpm -V pkgname, the header verification error is not printed, but rpm -Va shows the error for every package (besides gpg-pubkey) in the system.
>>> >
>> Shows WHAT error? I'm missing something here: either rpm -Va is silent (as above) or its not (as you say here)?
>> Which is it?
> i forgot "ps:", as the line starting with "i found something weird" started new output with old version where problem was not patched out.
> basically "rpm -Va |wc -l" says header errors, while "foreach $packages; rpm -Va $package; done | wc -l" says nothing, thus rpm -V $pkgname does not emit header errors.

OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
and also have an alternative means to verify header signatures using a shell loop.

You should also convince yourself that header signatures are verified when installing a package:

	rpm -Uvv somepackage*.rpm

and examine the output.

The output will look similar to this:

D:   PUB: 59625668 0E9642C7 V4 ECDSA
D: ========== ECDSA pubkey id 59625668 0e9642c7 (package)
D: devtool-sanity/devtool-sanity-1.0-1.noarch.rpm: Header V4 ECDSA/SHA256 signature: OK, key ID 0e9642c7

Verifying that header signatures are verified while installing SHOULD also confirm that the flaw
is with rpm -Va, not with RSA.

>> Are you compiling rpm with OPENMP? The --verify code paths are multi-threaded.

OPENMP is used if available when building. The top level Makefile will have this:

$ grep OPENMP Makefile
OPENMP_CFLAGS = -fopenmp

73 de Jeff

More information about the pld-devel-en mailing list