What were you trying to do that didn't work?

Attempting to import a pgp key that failed due to a signature mismatch in RHEL 8/9.  However, rpm exited without useful messaging even with verbosity added.

{{}}

{{[root@r9 ~]# rpm -vvv --import KEY_NAME
ufdio: 1 reads, 17654 total bytes in 0.000021 secs
ufdio: 1 reads, 5653 total bytes in 0.000004 secs
ufdio: 1 reads, 17654 total bytes in 0.000007 secs
ufdio: 1 reads, 3818 total bytes in 0.000003 secs
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: PRAGMA secure_delete = OFF: 0
D: PRAGMA case_sensitive_like = ON: 0
D: read h# 326
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-fd431d51-4ae0493b to keyring
D: read h# 327
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-5a6340b3-6229229e to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
error: KEY_NAME: key 1 import failed.}}

Found that this is due to the comparison in the rpmDigestFinal function:

1228 rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx)
1229 {
 :
1252     rpmDigestFinal(ctx, (void **)&hash, &hashlen, 0);
1253 
1254     /* Compare leading 16 bits of digest for quick check. */
1255     if (hash == NULL || memcmp(hash, sig->signhash16, 2) != 0)
1256         goto exit; 

Would it be possible to add messaging here so that we can see that there's a signature verification failure during this check?

Please provide the package NVR for which bug is seen:

rpm-4.14.3-28.el8_9.x86_64

How reproducible:

Every time given a bad signature

Steps to reproduce

1. Attempt to import a key with a bad signature

# rpm -vvv --import KEY_NAME

Expected results

Message provided that rpm import failed due to signature hash not matching computed hash.

Actual results

rpm with verbosity just shows the key import fails without any messages about a failed signature check.

{{}}

error: KEY_NAME: key 1 import failed.

{{}}