Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24768

Provide useful error messages if rpm --import fails when comparing leading 16 bits of digest

    XMLWordPrintable

Details

    • Bug
    • Resolution: Can't Do
    • Normal
    • None
    • rhel-8.9.0
    • rpm
    • Normal
    • sst_cs_software_management
    • ssg_core_services
    • False
    • Hide

      None

      Show
      None
    • Red Hat Enterprise Linux

    Description

      What were you trying to do that didn't work?

      Attempting to import a pgp key that failed due to a signature mismatch in RHEL 8/9.  However, rpm exited without useful messaging even with verbosity added.

      {{}}

      {{[root@r9 ~]# rpm -vvv --import KEY_NAME
      ufdio: 1 reads, 17654 total bytes in 0.000021 secs
      ufdio: 1 reads, 5653 total bytes in 0.000004 secs
      ufdio: 1 reads, 17654 total bytes in 0.000007 secs
      ufdio: 1 reads, 3818 total bytes in 0.000003 secs
      D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
      D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
      D: loading keyring from rpmdb
      D: PRAGMA secure_delete = OFF: 0
      D: PRAGMA case_sensitive_like = ON: 0
      D: read h# 326
      Header SHA256 digest: OK
      Header SHA1 digest: OK
      D: added key gpg-pubkey-fd431d51-4ae0493b to keyring
      D: read h# 327
      Header SHA256 digest: OK
      Header SHA1 digest: OK
      D: added key gpg-pubkey-5a6340b3-6229229e to keyring
      D: Using legacy gpg-pubkey(s) from rpmdb
      error: KEY_NAME: key 1 import failed.}}

       

      Found that this is due to the comparison in the rpmDigestFinal function:

       

      1228 rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx)
1229 {
 :
1252     rpmDigestFinal(ctx, (void **)&hash, &hashlen, 0);
1253 
1254     /* Compare leading 16 bits of digest for quick check. */
1255     if (hash == NULL || memcmp(hash, sig->signhash16, 2) != 0)
1256         goto exit;

      Would it be possible to add messaging here so that we can see that there's a signature verification failure during this check?

       

      Please provide the package NVR for which bug is seen:

      rpm-4.14.3-28.el8_9.x86_64

       

      How reproducible:

      Every time given a bad signature

      Steps to reproduce

      1. Attempt to import a key with a bad signature
      # rpm -vvv --import KEY_NAME

      Expected results

      Message provided that rpm import failed due to signature hash not matching computed hash.

      Actual results

      rpm with verbosity just shows the key import fails without any messages about a failed signature check.

      {{}}

      error: KEY_NAME: key 1 import failed.

      {{}}

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. RHEL-24769 RHEL 9 Provide useful error messages if rpm --import fails when comparing leading 16 bits of digest

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Activity

            People

              packaging-team-maint packaging-team-maint
              rhn-support-ckrell Charlie Krell
              packaging-team-maint packaging-team-maint
              Software Management QE Software Management QE
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: