[Rpm-maint] [rpm-software-management/rpm] package after `rpm --delsign` differs from original, unsigned package (Issue #2382)

Cory Francis Myers notifications at github.com
Mon Feb 6 20:13:22 UTC 2023


# package after `rpm --delsign` differs from original, unsigned package

## Description

To allow users to reproduce and verify our signed packages locally, we expect the result of `rpm --delsign package.rpm` to be bit-for-bit identical to the original unsigned `package.rpm`.  This assumption held under RPM 4.14 but no longer holds under RPM 4.18.  Is this a regression or a change in the expected behavior of `rpm --delsign`?

## Steps to reproduce

You can use the containerized reproduction in <https://gist.github.com/cfm/3559664c4f496fbb9beeade5f9411e5e>, or manually for some `package.rpm`:

1. `sha256sum package.rpm`
2. Sign `package.rpm`
3. `rpm --delsign package.rpm`
4. `sha256sum package.rpm`

## Expected behavior (RPM 4.14)

The hashes in steps (1) and (4) match.

## Actual behavior (RPM 4.18)

The hashes in steps (1) and (4) do not match.

## Comments

The containerized reproduction in <https://gist.github.com/cfm/3559664c4f496fbb9beeade5f9411e5e> gives you 60 seconds to grab `{before,after}.rpm` from the failing case.  [diffoscope reports:]

```diff
--- a/before.rpm
+++ b/after.rpm
│┄ Format-specific differences are supported for RPM archives but no file-specific differences were detected; falling back to a binary diff.
```

[diffoscope reports:]: https://github.com/rpm-software-management/rpm/files/10668792/ucvrhqkppzba.txt

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2382
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2382 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230206/5f5d2ad2/attachment.html>


More information about the Rpm-maint mailing list