rpm -Va BAD, key ID

Jan Rękorajski baggins at pld-linux.org
Sun Feb 15 11:00:40 CET 2015


On Sun, 15 Feb 2015, Jan Rękorajski wrote:

> On Sat, 14 Feb 2015, Jeffrey Johnson wrote:
> 
> > 
> > On Feb 13, 2015, at 10:06 AM, Jeffrey Johnson wrote:
> > 
> > > 
> > >> On Feb 13, 2015, at 3:17 AM, Elan Ruusamäe <glen at pld-linux.org> wrote:
> > >> 
> > >> On 12.02.2015 19:55, Jeffrey Johnson wrote:
> > >>> OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
> > >>> and also have an alternative means to verify header signatures using a shell loop.
> > >> i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).
> > >> 
> > > 
> > > They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
> > > with pubkey retrieval to minimize network/rpmdb access.
> > > 
> > 
> > Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached (I've forgotten where
> > the patch came from, perhaps PLD or ROSA).
> > 
> > The issue is/was resetting stateful variables when more than one pubkey is present. Which
> > explains why an RSA key was identified as DSA, and also explains why "rpm -V pkg" works,
> > but "rpm -Va" doesn't.
> 
> We have similar patch already applied (from Mandriva), this doesn't fix
> anything. Also disabling openmp doesn't fix anything.

Debug run for a random package. No key verification disabling hacks applied.
It looks like you're loosing DSA key somewhere.

# rpm -Vvv issue
D: pool fd:	created size 392 limit -1 flags 0
D: pool iob:	created size 48 limit -1 flags 0
D: pool mire:	created size 136 limit -1 flags 0
D: pool lua:	created size 64 limit -1 flags 0
D: pool ts:	created size 1200 limit -1 flags 0
D: pool gi:	created size 176 limit -1 flags 0
D: pool db:	created size 328 limit -1 flags 0
D: pool dbi:	created size 472 limit -1 flags 0
D: rpmdb: cpus 4 physmem 7956Mb
D: opening  db environment /var/lib/rpm/Packages thread:lock:log:mpool:txn
D: opening  db index       /var/lib/rpm/Packages thread:rdonly:auto_commit mode=0x0
D: opening  db index       /var/lib/rpm/Nvra thread:rdonly:auto_commit mode=0x0
D: pool mi:	created size 152 limit -1 flags 0
D: pool h:	created size 360 limit -1 flags 0
D: pool fi:	created size 560 limit -1 flags 0
D: pool dig:	created size 424 limit -1 flags 0
D: pool ctx:	created size 112 limit -1 flags 0
D: pool bf:	created size 56 limit -1 flags 0
D: pool hkp:	created size 128 limit -1 flags 0
D: opening  db index       /var/lib/rpm/Pubkeys thread:rdonly:auto_commit mode=0x0
D:   PUB: AF3F93BC E4F1BC2D V4 DSA
D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D:   PUB: 732FDFDE EAE6F8B8 V4 RSA
D:   SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
D:   UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
D: pool u:	created size 288 limit -1 flags 0

<
a very long wait here, +10 for trying to connect to
non-working keyservers, a.k.a. hkp://keys.rpm5.org

Disabling keyserver lookup only removes the delay,
key veryfication still fails.
>

D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#4283454898[0])
error: rpmdb (h#4283454157): Header V4 DSA signature: BAD, key ID e4f1bc2d
........  c /etc/issue
........  c /etc/issue.net
D: pool tsi:	created size 48 limit -1 flags 0
D: pool te:	created size 368 limit -1 flags 0
D: pool ds:	created size 232 limit -1 flags 0
D: pool al:	created size 64 limit -1 flags 0
D: ========== +++ issue-3.0-6.noarch noarch/linux 0x0
D: pool ps:	created size 40 limit -1 flags 0
D: opening  db index       /var/lib/rpm/Providename thread:rdonly:auto_commit mode=0x0
D:  Requires: pld-release = 3.0                             YES (db provides)
D:  Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1              YES (rpmlib provides)
D: Conflicts: issue-alpha < 3.0-1                           NO  
D: Conflicts: issue-fancy < 3.0-1                           NO  
D: Conflicts: issue-logo < 3.0-1                            NO  
D: Conflicts: issue-nice < 3.0-1                            NO  
D: Conflicts: issue-pure < 3.0-1                            NO  
D: opening  db index       /var/lib/rpm/Filepaths thread:rdonly:auto_commit mode=0x0
D:      Dirs: /etc                                          YES (db files)
D: opening  db index       /var/lib/rpm/Conflictname thread:rdonly:auto_commit mode=0x0
D: Conflicts: issue < 3.0-1                                 NO  
D: closed   db index       /var/lib/rpm/Filepaths
D: closed   db index       /var/lib/rpm/Nvra
D: closed   db index       /var/lib/rpm/Pubkeys
D: closed   db index       /var/lib/rpm/Conflictname
D: closed   db index       /var/lib/rpm/Providename
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm/Packages
D: pool gi:	reused 0, alloc'd 1, free'd 1 items.
D: pool mi:	reused 11, alloc'd 3, free'd 3 items.
D: pool tsi:	reused 11, alloc'd 1, free'd 1 items.
D: pool ts:	reused 0, alloc'd 1, free'd 1 items.
D: pool te:	reused 0, alloc'd 1, free'd 1 items.
D: pool ps:	reused 0, alloc'd 1, free'd 1 items.
D: pool al:	reused 0, alloc'd 1, free'd 1 items.
D: pool ds:	reused 24, alloc'd 14, free'd 14 items.
D: pool fi:	reused 0, alloc'd 2, free'd 2 items.
D: pool db:	reused 0, alloc'd 1, free'd 1 items.
D: pool dbi:	reused 0, alloc'd 6, free'd 6 items.
D: pool h:	reused 3, alloc'd 3, free'd 3 items.
D: pool lua:	reused 0, alloc'd 1, free'd 1 items.
D: pool hkp:	reused 0, alloc'd 2, free'd 2 items.
D: pool mire:	reused 1, alloc'd 3, free'd 3 items.
D: pool bf:	reused 0, alloc'd 3, free'd 3 items.
D: pool ctx:	reused 7, alloc'd 2, free'd 2 items.
D: pool iob:	reused 1, alloc'd 1, free'd 1 items.
D: pool dig:	reused 1, alloc'd 2, free'd 2 items.
D: pool u:	reused 0, alloc'd 1, free'd 1 items.
D: pool fd:	reused 28, alloc'd 2, free'd 2 items.
D: exit code: 0


-- 
Jan Rękorajski                    | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/


More information about the pld-devel-en mailing list