[Rpm-maint] [rpm-software-management/rpm] package after `rpm --delsign` differs from original, unsigned package (Issue #2382)
Cory Francis Myers
notifications at github.com
Mon Feb 6 20:13:22 UTC 2023
# package after `rpm --delsign` differs from original, unsigned package
## Description
To allow users to reproduce and verify our signed packages locally, we expect the result of `rpm --delsign package.rpm` to be bit-for-bit identical to the original unsigned `package.rpm`. This assumption held under RPM 4.14 but no longer holds under RPM 4.18. Is this a regression or a change in the expected behavior of `rpm --delsign`?
## Steps to reproduce
You can use the containerized reproduction in <https://gist.github.com/cfm/3559664c4f496fbb9beeade5f9411e5e>, or manually for some `package.rpm`:
1. `sha256sum package.rpm`
2. Sign `package.rpm`
3. `rpm --delsign package.rpm`
4. `sha256sum package.rpm`
## Expected behavior (RPM 4.14)
The hashes in steps (1) and (4) match.
## Actual behavior (RPM 4.18)
The hashes in steps (1) and (4) do not match.
## Comments
The containerized reproduction in <https://gist.github.com/cfm/3559664c4f496fbb9beeade5f9411e5e> gives you 60 seconds to grab `{before,after}.rpm` from the failing case. [diffoscope reports:]
```diff
--- a/before.rpm
+++ b/after.rpm
│┄ Format-specific differences are supported for RPM archives but no file-specific differences were detected; falling back to a binary diff.
```
[diffoscope reports:]: https://github.com/rpm-software-management/rpm/files/10668792/ucvrhqkppzba.txt
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2382
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2382 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230206/5f5d2ad2/attachment.html>
More information about the Rpm-maint
mailing list