rpm -Va BAD, key ID

Tue Jan 13 21:01:05 CET 2015

On 13.01.2015 19:43, Jeffrey Johnson wrote:
> On Jan 13, 2015, at 11:30 AM, Elan Ruusamäe wrote:
>
>> rpm -Va emits such messages:
>>
>>   error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
>>
> What package is header #123? (try rpm -Vavv which should display package names near h#123).
that #123 is pretty much every package in the system.
h#xxx starts from #2 and ends with #148. 149 packages in system, 1 fake 
gpg package.

rpm -Vavv of 5.4.14 and 5.4.14 can be obtained  from here:

http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
>> that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
>>
>>
>> i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
>>
> rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.
>
> Removing and re-importing 0xe4f1bc2d is the 1st thing to try.
>
> You can easily patch out the attempt to verify header signatures in 5.4.15.
>
> Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
> and whether the public key is imported or included in packages.
>
gpg-pubkey-e4f1bc2d-47b351f0 is key used to sign pld th packages:

$ rpm -qi gpg-pubkey-e4f1bc2d-47b351f0

Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : e4f1bc2d                          Vendor: (none)
Release     : 47b351f0                      Build Date: Fri Oct 10 01:19:35 2014
Install Date: Fri Oct 10 01:19:35 2014      Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
Size        : 0                                License: pubkey
Signature   : (none)
Summary     : gpg(RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>)
Architecture: (none)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: RPM 5.4.10 (BeeCrypt)

mQGiBEezUfARBACXCHHN8F35uES1o+FhB7op/804RVJw59Jv3UGDubv4x8SPHGNNb2WFLLMm
W5MUucB+VSS3Xm33U27HFfg9OaeJsSJu3b5RE+UnPTZihV5+vENdtsfIDJBOjgTcbEXYW75O
V9Qnxczx4fGUOfEU23a3q/yXXXnarjbTLRizBCJkBwCgrJvTzbDuECHrs74gm84E7unI26kD
/1Kd1Qm3QEsOkcuIW75zq6GiQE4S+jEEqKwyyVxENPN+o3+MRG3J/s3XV0hCnczueQZrEQu/
PNTm0t2d0rSlQg/Pm6Z46IpZ50UY2/CPIB3GaRT505Q4+gk15RulIQjR/4zUN/NB9P8ijo3p
4yAqhvPqDXhcigH94WH+NDsvC4+uA/90oyzRpnT1qSmReTwcmseU2mm/l6Uxl+LMtlBNTkrv
Ws9aBpFCK1j27ngIG4xdhDqNYMIwUv8C3FH6wh4nwa/o70gu4Hnr0Dezz+WZxHcg6VWyBuu0
NpBftCvwS1YLWQ3tRMnNhuok1Ulur9ocW//wby+5z7qj49AnzpxxrRXJ3rRBRFNBcHViIChQ
TEQgTGludXggRGlzdHJpYnV0aW9uIDMuMCAoVGgpKSA8dGgtYWRtaW5AcGxkLWxpbnV4Lm9y
Zz6IYAQTEQIAIAUCR7NR8AIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEK8/k7zk8bwt
hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2wepiNBEezUgYB
BADTsxN1pG5XtEcXwLayVtr1frEKNIE5ckWmKxx8040/ql+p9tzWtteRL5uAh5VbtfdQnFt4
gFoZJPsm1zMFsx9+LhV5nm5ZIowztde3vxyxCRuO90+PJy+N2DFHmIQMeuDzATN6O8VKUO2K
1yzAaMmZdPC56cEidSjg9M95v/814wARAQABtEFSU0FwdWIgKFBMRCBMaW51eCBEaXN0cmli
dXRpb24gMy4wIChUaCkpIDx0aC1hZG1pbkBwbGQtbGludXgub3JnPoi2BBMBAgAgBQJHs1IG
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQcy/f3urm+Lg8dwP7BdZCN5OTnwbwskRo
Ae4Hxs9t9hxW05maLJD5zyQTm+eL2o2uvIkzq67soB2aUVNPm0RCqnzh99BaqQSAGj4bpBcj
eFup2mhGy706QS6eaVl9cNigsfi3ehvAE5Qd5N5V12olY4Sik7q/F9MH+F/GAiPRdCpzLM2x
yBrlOB+zw5Y=
=ayIa
-----END PGP PUBLIC KEY BLOCK-----

the pubkey is available publicly from ftp:
ftp://ftp.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc

removing pubkey, made rpm -Va to succeed, importing it again, made it 
fail again:

21:55:00 root[load: 0.08]@pld64 ~# rpm -e gpg-pubkey-e4f1bc2d-47b351f0

21:55:52 root[load: 0.04]@pld64 ~# rpm -Va >/dev/null

21:56:12 root[load: 0.09]@pld64 ~# rpm -q rpm
rpm-5.4.15-7.x86_64

21:56:15 root[load: 0.09]@pld64 ~# rpm --import 
/etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc

21:56:21 root[load: 0.08]@pld64 ~# rpm -Va >/dev/null
error: rpmdb (h#2): Header V4 DSA signature: BAD, key ID e4f1bc2d
error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
...

-- 
glen