rpm -Va BAD, key ID

Jan Rękorajski baggins at pld-linux.org
Sun Feb 15 10:35:48 CET 2015

On Sat, 14 Feb 2015, Jeffrey Johnson wrote:

> On Feb 13, 2015, at 10:06 AM, Jeffrey Johnson wrote:
> > 
> >> On Feb 13, 2015, at 3:17 AM, Elan Ruusamäe <glen at pld-linux.org> wrote:
> >> 
> >> On 12.02.2015 19:55, Jeffrey Johnson wrote:
> >>> OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
> >>> and also have an alternative means to verify header signatures using a shell loop.
> >> i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
> >> 
> > 
> > They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
> > with pubkey retrieval to minimize network/rpmdb access.
> > 
> Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
> the patch came from, perhaps PLD or ROSA).
> The issue is/was resetting stateful variables when more than one pubkey is present. Which
> explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
> but "rpm -Va" doesn't.

We have similar patch already applied (from Mandriva), this doesn't fix
anything. Also disabling openmp doesn't fix anything.

Jan Rękorajski                    | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/

More information about the pld-devel-en mailing list