<p>There's now another similar bug at <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1514190" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=1514190</a>, Intel signed packages in that case as well, with the same problem: the actual signature is placed outside signature header immutable region. I'm not aware of any rpm.org version doing that. <a href="https://github.com/anselmolsm" class="user-mention">@anselmolsm</a> - any news on that front?</p>
<p><a href="https://github.com/n3npq" class="user-mention">@n3npq</a> , as for the original report on the rpm5 built capsule package: the "offending" tag is RPMSIGTAG_PADDING and I was about to ask why it is outside the immutable region, but looking at the code it doesn't seem to be intentional:</p>
<pre><code>    /* Reallocate the signature header into one contiguous region. */
    sigh = headerReload(sigh, RPMTAG_HEADERSIGNATURES);

   [...]

        he->tag = (rpmTag) RPMSIGTAG_PADDING;
        he->t = RPM_BIN_TYPE;
        he->p.ui8p = b;
        he->c = nb;
        xx = headerPut(sigh, he, HEADERGET_SIGHEADER);
        sigh = headerReload(sigh, RPMTAG_HEADERSIGNATURES);
</code></pre>
<p>So it seems the second headerReload() fails to pull the padding tag into the region, for whatever reason.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/270#issuecomment-347500742">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ANb806zOHv3wTeEuuGztm-e7syMg0jswks5s6_R5gaJpZM4Oeptu">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ANb801nw_2Ayg20MWrhpE198VjgRs9uwks5s6_R5gaJpZM4Oeptu.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/rpm-software-management/rpm/issues/270#issuecomment-347500742"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/rpm-software-management/rpm","title":"rpm-software-management/rpm","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/rpm-software-management/rpm"}},"updates":{"snippets":[{"icon":"PERSON","message":"@pmatilai in #270: There's now another similar bug at https://bugzilla.redhat.com/show_bug.cgi?id=1514190, Intel signed packages in that case as well, with the same problem: the actual signature is placed outside signature header immutable region. I'm not aware of any rpm.org version doing that. @anselmolsm - any news on that front?\r\n\r\n@n3npq , as for the original report on the rpm5 built capsule package: the \"offending\" tag is RPMSIGTAG_PADDING and I was about to ask why it is outside the immutable region, but looking at the code it doesn't seem to be intentional:\r\n\r\n```\r\n    /* Reallocate the signature header into one contiguous region. */\r\n    sigh = headerReload(sigh, RPMTAG_HEADERSIGNATURES);\r\n\r\n   [...]\r\n\r\n        he-\u003etag = (rpmTag) RPMSIGTAG_PADDING;\r\n        he-\u003et = RPM_BIN_TYPE;\r\n        he-\u003ep.ui8p = b;\r\n        he-\u003ec = nb;\r\n        xx = headerPut(sigh, he, HEADERGET_SIGHEADER);\r\n        sigh = headerReload(sigh, RPMTAG_HEADERSIGNATURES);\r\n```\r\nSo it seems the second headerReload() fails to pull the padding tag into the region, for whatever reason."}],"action":{"name":"View Issue","url":"https://github.com/rpm-software-management/rpm/issues/270#issuecomment-347500742"}}}</script>