Re: Signing packages on RH73 and RH9 results in other output

[Dag Wieers <dag wieers com>]

On Wed, 27 Aug 2003, Jeff Johnson wrote:

> Dag Wieers wrote:
> 
> >I guess this is yet another issue that nobody really cares about, but what 
> >the heck, just for the record.
> 
> Hmmm, I care.

Ok ;)


> >If you sign a set of packages (RH62, RH73, RH80 and RH9) on a RH73 and you 
> >do the same on a identical copy on RH9 (of course with the same key). Your 
> >packages will not be the same anymore.
>
> "same" details please. And version of rpm used for signing.

Signing happened on an updated RH73 and an updated RH9 (clean in the 
sense that no other package was used for the affected functionality).

 
> >They still seem to work though (at least the RH73 signed ones work on RH9) 
> >but there's no way that you can do this and hope that you can just rsync 
> >without it redoing all the files.
> 
> All signatures are different. Since in package, yes, rsync will notice.

Well, I would have guessed that the size of the files would have at least 
be the same and this is something rsync (given the right options) should 
be able to overcome. I have not tried rsyncing as a test-run indicated 
rsync would have deleted all the files and re-uploaded them. (and given 
the bandwidth and limitations it would have cost me and would have taken 
almost 3 days)

I still have a copy of the files, so I can send you 2 smaller packages 
that were identical before they had been signed on the RH73 and RH9.


> >If you then think to be clever (ha!) to build a rpm-4.2-1 for RH73 and 
> >--resign them, don't bother as there is no way you can (re)sign them with 
> >the same key, let alone remove an existing signature.
>
> Not true, but depends on key and version of rpm used to sign.

Well, it was rpm-4.0.4-7x.18.i386.rpm (RH73) and rpm-4.2-0.69 (RH9).


> >This also bit me tonight and well, caused me a lot of grief. It's not been 
> >my lucky RPM week, that's for sure.
> 
> FInd me on irc and I'll walk you through what you need to do.
> 
> The underlying issue(s) are:
>     a) transitioning between header+payload and header-only signatures.
>     b) using beecrypt, not gpg, for signature verification.
>     c) changes wrto --addsign/--resign, they behave identically now, 
> didn't always.
>     d) always verifying signature/digest if possible.
> 
> Yes there are different behaviors, because there are largish changes.

Ok, I just didn't expected that ;) I solved the whole thing by downloading 
the RH73-signed packages (I have cable) and used that as the basis. 
Because it seemed that these would also work on RH9 (I haven't tested it 
the other way around).

Unless you want to debug/analyse what happened, there's no need for me to 
clarify the situation. I just wanted to inform people here ;)

As I said I can send you an example of 2 packages that were signed on both 
systems and were different in size. But I don't expect any additional 
effort, certainly if it is what you would have expected anyway.

Kind regards,
--   dag wieers,  dag@wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]