[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: rpm-4.0.4: --addsign clobbers sigs added with -ba --sign

From: Jeff Johnson <jbj redhat com>
To: rpm-list redhat com
Subject: Re: rpm-4.0.4: --addsign clobbers sigs added with -ba --sign
Date: Fri, 13 Sep 2002 13:43:43 -0400

On Fri, Sep 06, 2002 at 03:53:36PM -0500, Matthew Callaway wrote:
> By the silence I can only assume that this is a low-priority problem.
> This is understandable.
> 

Dunno about "low-priority", there's also ignorance and obscurity that
need to be considered :-)

Plus I was on vacation :-) :-)

Yes, --addsign has the behavior you describe, i.e. adding Yet Another Tag
to the signature header. The --resign options was intended to replace
a signature, and --addsign has always been broken if used more than
once, as which tag (if multiple occurences) is retrieved from a header
is determined solely by bsearch(3). Not pretty.

IMHO, the distinction between --addsin/--resign is overly subtle and
nuanced, broken by design I say.

So, rpm-4.1 now has both --resign and --addsign for legacy CLI compatibility,
but both do exactly the same thing, i.e. throw out the old signature
and replace with a new signature. (Note: there is check to prevent
resigning a package with the same key that was added so that resigning
packages here at Red Hat didn't change package MD5 sums, but this too
is the Wrong Thing To Do IMHO, file MD5 sums shouldn't be used to
verify package integrity if packages are mutable).

> Is it perhaps the case that this is a known issue that will be resolved
> with the move to native GPG signature handling in rpm-4.1?
> 

Basically yes, but it's gonna take a while (like another 2 years, sigh)
to make the transition. FWIW, rpm-4.1 verifies natively, but still signs
with a gpg helper. There are also 2 package signatures now, the old
header+payload, the new header-only. The header-only signature is verified
(if present) when a header is read or written.

> For anyone who cares, you can work around this problem by signing
> packages with --addsign after you build them, rather than with --sign at
> build time.
> 

Yup, --sign during build needs to be (and will be) killed off as well.

Old code dies a lingering death.

HTH

73 de Jeff

-- 
Jeff Johnson	ARS N3NPQ
jbj@redhat.com (jbj@jbj.org)
Chapel Hill, NC

References:
- Re: rpm-4.0.4: --addsign clobbers sigs added with -ba --sign
  - From: Matthew Callaway <matt-rpm@kindjal.net>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []