rpm -Va BAD, key ID

Jeffrey Johnson n3npq at me.com
Sat Feb 14 19:21:45 CET 2015 

On Feb 13, 2015, at 10:06 AM, Jeffrey Johnson wrote:

> 
>> On Feb 13, 2015, at 3:17 AM, Elan Ruusamäe <glen at pld-linux.org> wrote:
>> 
>> On 12.02.2015 19:55, Jeffrey Johnson wrote:
>>> OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
>>> and also have an alternative means to verify header signatures using a shell loop.
>> i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
>> 
> 
> They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
> with pubkey retrieval to minimize network/rpmdb access.
> 

Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
the patch came from, perhaps PLD or ROSA).

The issue is/was resetting stateful variables when more than one pubkey is present. Which
explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
but "rpm -Va" doesn't.

73 de Jeff

Index: rpmhkp.c
===================================================================
RCS file: /v/rpm/cvs/rpm/rpmio/rpmhkp.c,v
retrieving revision 2.20.2.9
diff -p -u -w -r2.20.2.9 rpmhkp.c
--- rpmhkp.c	11 Oct 2014 12:56:41 -0000	2.20.2.9
+++ rpmhkp.c	14 Feb 2015 18:15:36 -0000
@@ -916,14 +916,6 @@ te = t = tbuf;
 
 HKPDEBUG((stderr, "--> %s(%p,%s)\n", __FUNCTION__, hkp, keyname));
 
-    /* Reset temporary variables*/
-    hkp->pubx = -1;
-    hkp->uidx = -1;
-    hkp->subx = -1;
-    hkp->sigx = -1;
-    hkp->tvalid = 0;
-    hkp->uvalidx = -1;
-
     /* Do a lazy lookup before validating. */
     if (hkp == NULL && keyname && *keyname) {
 	if ((hkp = rpmhkpLookup(keyname)) == NULL) {
@@ -934,6 +926,14 @@ HKPDEBUG((stderr, "--> %s(%p,%s)\n", __F
     if ((hkp = rpmhkpLink(hkp)) == NULL)
 	return rc;
 
+    /* Reset temporary variables*/
+    hkp->pubx = -1;
+    hkp->uidx = -1;
+    hkp->subx = -1;
+    hkp->sigx = -1;
+    hkp->tvalid = 0;
+    hkp->uvalidx = -1;
+
     SUM.certs++;
 assert(hkp->pkts);

More information about the pld-devel-en mailing list