On Mon, Oct 31, 2016 at 12:01 PM Panu Matilainen <pmati...@laiskiainen.org> wrote:
> On 10/31/2016 05:17 PM, Florian Weimer wrote: > > On 10/21/2016 05:34 PM, Kevin Fenzi wrote: > >> On Thu, 20 Oct 2016 16:42:02 +0000 > >> Christopher <ctubb...@fedoraproject.org> wrote: > >> > >>> What is the "Payload Hash" in koji? > >>> It looks like an MD5, but of what? It's not the rpm... I've checked. > >>> Should koji be providing verification hashes for manual downloads of > >>> built RPMs? I think this would be useful for testing. > >>> > >>> http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409 > >> > >> I'm not sure either. I think it's the internal payload before adding > >> the signatures, etc? > > > > It's the RPM_SIGTAG_MD5 RPM header: > > > > SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN): > > 0000003e00000007ffffffa000000010 > > SIGNATURE:SIGTAG_SHA1HEADER (STRING): > > "bbc33a4f6670d31817cd571de632f3190a72e1bf" > > SIGNATURE:SIGTAG_SIZE (INT32): 103674 > > SIGNATURE:SIGTAG_MD5 (BIN): > > cdf775308f76e659385444b50ee26a7a > > SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760 > > > > I'm not completely sure over which part of the RPM it is computed. I > > suspect over the non-signature header followed by the decompressed > payload. > > All RPM v3 digests (so yes, RPM_SIGTAG_MD5) and signatures are on the > (non-signature) header + compressed payload. Only the individual file > digests are on uncompressed data. > > - Panu - > > Thanks. This was explained on https://pagure.io/koji/issue/190 with instructions on how to verify.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org