Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24769

RHEL 9 Provide useful error messages if rpm --import fails when comparing leading 16 bits of digest

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Can't Do
    • Icon: Normal Normal
    • None
    • rhel-9.3.0
    • rpm
    • None
    • Moderate
    • rhel-sst-cs-software-management
    • ssg_core_services
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Attempting to import a pgp key that failed due to a signature mismatch in RHEL 8/9.  However, rpm exited without useful messaging even with verbosity added.

       

      [root@r9 ~]# rpm -vvv --import KEY_NAME
ufdio: 1 reads, 17654 total bytes in 0.000021 secs
ufdio: 1 reads, 5653 total bytes in 0.000004 secs
ufdio: 1 reads, 17654 total bytes in 0.000007 secs
ufdio: 1 reads, 3818 total bytes in 0.000003 secs
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: PRAGMA secure_delete = OFF: 0
D: PRAGMA case_sensitive_like = ON: 0
D: read h# 326
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-fd431d51-4ae0493b to keyring
D: read h# 327
Header SHA256 digest: OK
Header SHA1 digest: OK
D: added key gpg-pubkey-5a6340b3-6229229e to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
error: KEY_NAME: key 1 import failed.

       

       

      Found that this is due to the comparison in the rpmDigestFinal function:

       

      1228 rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx)
1229 {
 :
1252     rpmDigestFinal(ctx, (void **)&hash, &hashlen, 0);
1253 
1254     /* Compare leading 16 bits of digest for quick check. */
1255     if (hash == NULL || memcmp(hash, sig->signhash16, 2) != 0)
1256         goto exit;

      Would it be possible to add messaging here so that we can see that there's a signature verification failure during this check?

       

      Please provide the package NVR for which bug is seen:

      rpm-4.16.1.3-27.el9_3.x86_64

       

      How reproducible:

      Every time given a bad signature

      Steps to reproduce

      1. Attempt to import a key with a bad signature
      # rpm -vvv --import KEY_NAME

      Expected results

      Message provided that rpm import failed due to signature hash not matching computed hash.

      Actual results

      rpm with verbosity just shows the key import fails without any messages about a failed signature check.

      error: KEY_NAME: key 1 import failed.

       

              packaging-team-maint packaging-team-maint
              rhn-support-ckrell Charlie Krell
              packaging-team-maint packaging-team-maint
              Software Management QE Software Management QE
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: