[Rpm-maint] [rpm-software-management/rpm] rpmsign --delsign / --addsign regression corrupt packages in rpm >= 4.18.1 (Issue #3469)

Panu Matilainen notifications at github.com
Mon Nov 25 16:20:22 UTC 2024


A regression found by RH QE while testing something related:

```
[pmatilai🎩︎lumikko ~]$ rpmkeys -Kv /tmp/bash-5.2.26-4.el10.x86_64.rpm 
/tmp/bash-5.2.26-4.el10.x86_64.rpm:
    Header OpenPGP V4 RSA/SHA256 signature, key ID 199e2f91fd431d51: NOKEY
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    Legacy OpenPGP V4 RSA/SHA256 signature, key ID 199e2f91fd431d51: NOKEY
[pmatilai🎩︎lumikko ~]$ rpmsign --delsign /tmp/bash-5.2.26-4.el10.x86_64.rpm
[pmatilai🎩︎lumikko ~]$ rpmkeys -Kv /tmp/bash-5.2.26-4.el10.x86_64.rpm 
/tmp/bash-5.2.26-4.el10.x86_64.rpm:
error: /tmp/bash-5.2.26-4.el10.x86_64.rpm: hdr magic: BAD
[pmatilai🎩︎lumikko ~]$
```

It's caused by https://github.com/rpm-software-management/rpm/commit/a94e971dbb10e8bc929108a65c7bb1d5b1d9e77e, ie fix for #2382 . It doesn't happen with all packages, probably has to do with the RH signing server not adjusting the reserved space at all when signing packages, and something on the rpmsign assumptions then fails miserably.

Once the issue is properly understood, crafting a public reproducer shouldn't be too hard.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3469
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3469 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241125/730b7582/attachment.htm>


More information about the Rpm-maint mailing list