rpm -Va BAD, key ID

Jeffrey Johnson n3npq at me.com
Sun Jan 25 15:38:15 CET 2015


> On Jan 25, 2015, at 9:26 AM, Jan Rękorajski <baggins at pld-linux.org> wrote:
> 
> 
>>> 
>> 
>> Try resigning a package with the same key and importing using rpm-5.4.15. Does that "fix"?
> 
> No, packages signed with 5.4.15 also fail to verify with it.
> The following command is used to sign packages:
> 
> rpm --resign --define '_signature gpg' --define '_gpg_name e4f1bc2d' files
> 
> So, that's not a problem of our setup, from my perspective it looks like
> 5.4.15 has broken RSA sig verification, can you look into it?
> 

I can try to reproduce the verification failure, but I haven’t the private key.

… meanwhile there are 5 crypto implementations in rpm, compile/use
any/all of BeeCrypt/NSS/OpenSSL/libtomcrypt/libgcrypt, see where
the problem lies.

>> There were many fixes for RSA signatures in rpm-5.4.15.
>> 
>> These were fixes for known problems repeatedly tested with all five crypto implementations, not regressions.
>> 
>> The testing does not exclude a regression, but there are known incompatibilities between
>> rpm-5.4.15 and earlier versions of RPM with RSA signatures.
> 
> Can you elaborate what kind of incompatibilities we can expect?
> 

Fingerprints were miscalculated for V4 RSA pubkeys, MPI lengths
were incorrect for RSA keys/signatures that happened to have 8 leasing
zero bits, bit counts in RSA private keys were added (which affects fingerprints),
for starters.

73 de Jeff

> -- 
> Jan Rękorajski                    | PLD/Linux
> SysAdm | baggins<at>pld-linux.org <http://pld-linux.org/> | http://www.pld-linux.org/ <http://www.pld-linux.org/>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org <mailto:pld-devel-en at lists.pld-linux.org>
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en <http://lists.pld-linux.org/mailman/listinfo/pld-devel-en>


More information about the pld-devel-en mailing list