rpm -Va BAD, key ID

Jeffrey Johnson n3npq at me.com
Wed Jan 14 11:08:28 CET 2015 

On Jan 13, 2015, at 3:01 PM, Elan Ruusamäe wrote:

> On 13.01.2015 19:43, Jeffrey Johnson wrote:
>> On Jan 13, 2015, at 11:30 AM, Elan Ruusamäe wrote:
>> 
>>> rpm -Va emits such messages:
>>> 
>>>  error: rpmdb (h#123): Header V4 DSA signature: BAD, key ID e4f1bc2d
>>> 
>> What package is header #123? (try rpm -Vavv which should display package names near h#123).
> that #123 is pretty much every package in the system.
> h#xxx starts from #2 and ends with #148. 149 packages in system, 1 fake gpg package.
> 
> rpm -Vavv of 5.4.14 and 5.4.14 can be obtained  from here:
> 
> http://carme.pld-linux.org/~glen/rpm-va.tar.xz (75K)
>>> that's from repeated scratch installs, the key ID stays always the same (e4f1bc2d)
>>> 
>>> 
>>> i've traced that something between rpm-5.4.14-5.x86_64 and rpm-5.4.15-6.x86_64 and have caused it
>>> 
>> rpm-5.4.14 may not attempt to verify header signatures while verifying, I forget when enabled.
>> 
>> Removing and re-importing 0xe4f1bc2d is the 1st thing to try.
>> 
>> You can easily patch out the attempt to verify header signatures in 5.4.15.
>> 
>> Meanwhile more info is needed if you want a fix, including what public key (0xe4f1bc2d) is being used,
>> and whether the public key is imported or included in packages.
>> 
> gpg-pubkey-e4f1bc2d-47b351f0 is key used to sign pld th packages:
> 
> $ rpm -qi gpg-pubkey-e4f1bc2d-47b351f0
> 
> Name        : gpg-pubkey                   Relocations: (not relocatable)
> Version     : e4f1bc2d                          Vendor: (none)
> Release     : 47b351f0                      Build Date: Fri Oct 10 01:19:35 2014
> Install Date: Fri Oct 10 01:19:35 2014      Build Host: localhost
> Group       : Public Keys                   Source RPM: (none)
> Size        : 0                                License: pubkey
> Signature   : (none)
> Summary     : gpg(RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>)
---------------------------^^^^ Presumably this is an RSA public key.

> Architecture: (none)
> Description :
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: RPM 5.4.10 (BeeCrypt)
-------------- ^^^^^^^^^^ exported by rpm-5.4.10

> 
> mQGiBEezUfARBACXCHHN8F35uES1o+FhB7op/804RVJw59Jv3UGDubv4x8SPHGNNb2WFLLMm
> W5MUucB+VSS3Xm33U27HFfg9OaeJsSJu3b5RE+UnPTZihV5+vENdtsfIDJBOjgTcbEXYW75O
> V9Qnxczx4fGUOfEU23a3q/yXXXnarjbTLRizBCJkBwCgrJvTzbDuECHrs74gm84E7unI26kD
> /1Kd1Qm3QEsOkcuIW75zq6GiQE4S+jEEqKwyyVxENPN+o3+MRG3J/s3XV0hCnczueQZrEQu/
> PNTm0t2d0rSlQg/Pm6Z46IpZ50UY2/CPIB3GaRT505Q4+gk15RulIQjR/4zUN/NB9P8ijo3p
> 4yAqhvPqDXhcigH94WH+NDsvC4+uA/90oyzRpnT1qSmReTwcmseU2mm/l6Uxl+LMtlBNTkrv
> Ws9aBpFCK1j27ngIG4xdhDqNYMIwUv8C3FH6wh4nwa/o70gu4Hnr0Dezz+WZxHcg6VWyBuu0
> NpBftCvwS1YLWQ3tRMnNhuok1Ulur9ocW//wby+5z7qj49AnzpxxrRXJ3rRBRFNBcHViIChQ
> TEQgTGludXggRGlzdHJpYnV0aW9uIDMuMCAoVGgpKSA8dGgtYWRtaW5AcGxkLWxpbnV4Lm9y
> Zz6IYAQTEQIAIAUCR7NR8AIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEK8/k7zk8bwt
> hUsAoJ44g5TWhmvGqXUiDOIAjfw6QXSvAKCLWEANVGfXOihK7zxAMvXqZj2wepiNBEezUgYB
> BADTsxN1pG5XtEcXwLayVtr1frEKNIE5ckWmKxx8040/ql+p9tzWtteRL5uAh5VbtfdQnFt4
> gFoZJPsm1zMFsx9+LhV5nm5ZIowztde3vxyxCRuO90+PJy+N2DFHmIQMeuDzATN6O8VKUO2K
> 1yzAaMmZdPC56cEidSjg9M95v/814wARAQABtEFSU0FwdWIgKFBMRCBMaW51eCBEaXN0cmli
> dXRpb24gMy4wIChUaCkpIDx0aC1hZG1pbkBwbGQtbGludXgub3JnPoi2BBMBAgAgBQJHs1IG
> AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQcy/f3urm+Lg8dwP7BdZCN5OTnwbwskRo
> Ae4Hxs9t9hxW05maLJD5zyQTm+eL2o2uvIkzq67soB2aUVNPm0RCqnzh99BaqQSAGj4bpBcj
> eFup2mhGy706QS6eaVl9cNigsfi3ehvAE5Qd5N5V12olY4Sik7q/F9MH+F/GAiPRdCpzLM2x
> yBrlOB+zw5Y=
> =ayIa
> -----END PGP PUBLIC KEY BLOCK-----
> 
> the pubkey is available publicly from ftp:
> ftp://ftp.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc
> 

Try resigning a package with the same key and importing using rpm-5.4.15. Does that "fix"?

There were many fixes for RSA signatures in rpm-5.4.15.

These were fixes for known problems repeatedly tested with all five crypto implementations, not regressions.

The testing does not exclude a regression, but there are known incompatibilities between
rpm-5.4.15 and earlier versions of RPM with RSA signatures.

(aside)
Write a loop generating as many RSA pubkeys as you wish and sign packages
until you are confident of the RSA signatures implemented in rpm-5.4.15.

See tests/genpgp.sh for how to generate RSA key pairs

73 de Jeff

> 
> removing pubkey, made rpm -Va to succeed, importing it again, made it fail again:
> 
> 21:55:00 root[load: 0.08]@pld64 ~# rpm -e gpg-pubkey-e4f1bc2d-47b351f0
> 
> 21:55:52 root[load: 0.04]@pld64 ~# rpm -Va >/dev/null
> 
> 21:56:12 root[load: 0.09]@pld64 ~# rpm -q rpm
> rpm-5.4.15-7.x86_64
> 
> 21:56:15 root[load: 0.09]@pld64 ~# rpm --import /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc
> 
> 21:56:21 root[load: 0.08]@pld64 ~# rpm -Va >/dev/null
> error: rpmdb (h#2): Header V4 DSA signature: BAD, key ID e4f1bc2d
> error: rpmdb (h#3): Header V4 DSA signature: BAD, key ID e4f1bc2d
> ...
> 
> 
> 
> 
> -- 
> glen
> 
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list