On Feb 15, 2015, at 5:00 AM, Jan Rękorajski wrote: > On Sun, 15 Feb 2015, Jan Rękorajski wrote: > >> On Sat, 14 Feb 2015, Jeffrey Johnson wrote: >> >>> >>> On Feb 13, 2015, at 10:06 AM, Jeffrey Johnson wrote: >>> >>>> >>>>> On Feb 13, 2015, at 3:17 AM, Elan Ruusamäe <g...@pld-linux.org> wrote: >>>>> >>>>> On 12.02.2015 19:55, Jeffrey Johnson wrote: >>>>>> OK. So you have a workaround (by disabling header signature >>>>>> verification) for -Va for the moment. >>>>>> and also have an alternative means to verify header signatures using a >>>>>> shell loop. >>>>> i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so >>>>> you're saying that (with my current package patch) header verification is >>>>> disabled for both? (as no header verification errors are printed). >>>>> >>>> >>>> They (rpm -Va and rpm -V) don’t use different code paths: there is hidden >>>> state associated >>>> with pubkey retrieval to minimize network/rpmdb access. >>>> >>> >>> Try a patch similar (this is from cvs, not from rpm-5.4.15) to the attached >>> (I've forgotten where >>> the patch came from, perhaps PLD or ROSA). >>> >>> The issue is/was resetting stateful variables when more than one pubkey is >>> present. Which >>> explains why an RSA key was identified as DSA, and also explains why "rpm >>> -V pkg" works, >>> but "rpm -Va" doesn't. >> >> We have similar patch already applied (from Mandriva), this doesn't fix >> anything. Also disabling openmp doesn't fix anything. > > Debug run for a random package. No key verification disabling hacks applied. > It looks like you're loosing DSA key somewhere. > > # rpm -Vvv issue > D: pool fd: created size 392 limit -1 flags 0 > D: pool iob: created size 48 limit -1 flags 0 > D: pool mire: created size 136 limit -1 flags 0 > D: pool lua: created size 64 limit -1 flags 0 > D: pool ts: created size 1200 limit -1 flags 0 > D: pool gi: created size 176 limit -1 flags 0 > D: pool db: created size 328 limit -1 flags 0 > D: pool dbi: created size 472 limit -1 flags 0 > D: rpmdb: cpus 4 physmem 7956Mb > D: opening db environment /var/lib/rpm/Packages thread:lock:log:mpool:txn > D: opening db index /var/lib/rpm/Packages thread:rdonly:auto_commit > mode=0x0 > D: opening db index /var/lib/rpm/Nvra thread:rdonly:auto_commit > mode=0x0 > D: pool mi: created size 152 limit -1 flags 0 > D: pool h: created size 360 limit -1 flags 0 > D: pool fi: created size 560 limit -1 flags 0 > D: pool dig: created size 424 limit -1 flags 0 > D: pool ctx: created size 112 limit -1 flags 0 > D: pool bf: created size 56 limit -1 flags 0 > D: pool hkp: created size 128 limit -1 flags 0 > D: opening db index /var/lib/rpm/Pubkeys thread:rdonly:auto_commit > mode=0x0 > D: PUB: AF3F93BC E4F1BC2D V4 DSA > D: SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE > D: PUB: 732FDFDE EAE6F8B8 V4 RSA > D: SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE > D: UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-ad...@pld-linux.org>
I am confused by the UID here: is this a RSA or a DSA key? It looks like a DSA key signed by itself as well as a RSA positive certification and UID binding signature. I've been looking for RSA issues: I'm even more surprised at a regression with DSA. But I'm not too surprised that more complicated key structures may be causing issues. Originally rpm saved only the 1st packet of a pubkey containing the key material. In order to attach/deisplay a UID, the binding signature is verified, and the entire pubkey, with all certifications, is now saved in an rpmdb. This is another change in rpm-5.4.15 Try using gnupg to edit the 0xE4F1BC2D pubkey, and strip out everything but the self signed positive certification, and export/import into an rpmdb. See if that verifies. There should be no network hkp access if you have imported the needed pubkeys correctly. > D: pool u: created size 288 limit -1 flags 0 > > < > a very long wait here, +10 for trying to connect to > non-working keyservers, a.k.a. hkp://keys.rpm5.org > So some pubkey needed for verification is not imported because HKP is attempting a lookup. Yes you need to configure a better key server than keys.rpm5.org if expecting reasonable response service. > Disabling keyserver lookup only removes the delay, > key veryfication still fails. >> > > D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#4283454898[0]) > error: rpmdb (h#4283454157): Header V4 DSA signature: BAD, key ID e4f1bc2d > ........ c /etc/issue > ........ c /etc/issue.net > D: pool tsi: created size 48 limit -1 flags 0 > D: pool te: created size 368 limit -1 flags 0 > D: pool ds: created size 232 limit -1 flags 0 > D: pool al: created size 64 limit -1 flags 0 > D: ========== +++ issue-3.0-6.noarch noarch/linux 0x0 > D: pool ps: created size 40 limit -1 flags 0 > D: opening db index /var/lib/rpm/Providename thread:rdonly:auto_commit > mode=0x0 > D: Requires: pld-release = 3.0 YES (db provides) > D: Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1 YES (rpmlib > provides) > D: Conflicts: issue-alpha < 3.0-1 NO > D: Conflicts: issue-fancy < 3.0-1 NO > D: Conflicts: issue-logo < 3.0-1 NO > D: Conflicts: issue-nice < 3.0-1 NO > D: Conflicts: issue-pure < 3.0-1 NO > D: opening db index /var/lib/rpm/Filepaths thread:rdonly:auto_commit > mode=0x0 > D: Dirs: /etc YES (db files) > D: opening db index /var/lib/rpm/Conflictname > thread:rdonly:auto_commit mode=0x0 > D: Conflicts: issue < 3.0-1 NO > D: closed db index /var/lib/rpm/Filepaths > D: closed db index /var/lib/rpm/Nvra > D: closed db index /var/lib/rpm/Pubkeys > D: closed db index /var/lib/rpm/Conflictname > D: closed db index /var/lib/rpm/Providename > D: closed db index /var/lib/rpm/Packages > D: closed db environment /var/lib/rpm/Packages > D: pool gi: reused 0, alloc'd 1, free'd 1 items. > D: pool mi: reused 11, alloc'd 3, free'd 3 items. > D: pool tsi: reused 11, alloc'd 1, free'd 1 items. > D: pool ts: reused 0, alloc'd 1, free'd 1 items. > D: pool te: reused 0, alloc'd 1, free'd 1 items. > D: pool ps: reused 0, alloc'd 1, free'd 1 items. > D: pool al: reused 0, alloc'd 1, free'd 1 items. > D: pool ds: reused 24, alloc'd 14, free'd 14 items. > D: pool fi: reused 0, alloc'd 2, free'd 2 items. > D: pool db: reused 0, alloc'd 1, free'd 1 items. > D: pool dbi: reused 0, alloc'd 6, free'd 6 items. > D: pool h: reused 3, alloc'd 3, free'd 3 items. > D: pool lua: reused 0, alloc'd 1, free'd 1 items. > D: pool hkp: reused 0, alloc'd 2, free'd 2 items. > D: pool mire: reused 1, alloc'd 3, free'd 3 items. > D: pool bf: reused 0, alloc'd 3, free'd 3 items. > D: pool ctx: reused 7, alloc'd 2, free'd 2 items. > D: pool iob: reused 1, alloc'd 1, free'd 1 items. > D: pool dig: reused 1, alloc'd 2, free'd 2 items. > D: pool u: reused 0, alloc'd 1, free'd 1 items. > D: pool fd: reused 28, alloc'd 2, free'd 2 items. > D: exit code: 0 > > > -- > Jan Rękorajski | PLD/Linux > SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/ > _______________________________________________ > pld-devel-en mailing list > pld-devel-en@lists.pld-linux.org > http://lists.pld-linux.org/mailman/listinfo/pld-devel-en _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en