Re: Koji payload hash?
On Mon, Oct 31, 2016 at 12:01 PM Panu Matilainenwrote: > On 10/31/2016 05:17 PM, Florian Weimer wrote: > > On 10/21/2016 05:34 PM, Kevin Fenzi wrote: > >> On Thu, 20 Oct 2016 16:42:02 + > >> Christopher wrote: > >> > >>> What is the "Payload Hash" in koji? > >>> It looks like an MD5, but of what? It's not the rpm... I've checked. > >>> Should koji be providing verification hashes for manual downloads of > >>> built RPMs? I think this would be useful for testing. > >>> > >>> http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409 > >> > >> I'm not sure either. I think it's the internal payload before adding > >> the signatures, etc? > > > > It's the RPM_SIGTAG_MD5 RPM header: > > > > SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN): > > 003e0007ffa00010 > > SIGNATURE:SIGTAG_SHA1HEADER (STRING): > > "bbc33a4f6670d31817cd571de632f3190a72e1bf" > > SIGNATURE:SIGTAG_SIZE (INT32): 103674 > > SIGNATURE:SIGTAG_MD5 (BIN): > > cdf775308f76e659385444b50ee26a7a > > SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760 > > > > I'm not completely sure over which part of the RPM it is computed. I > > suspect over the non-signature header followed by the decompressed > payload. > > All RPM v3 digests (so yes, RPM_SIGTAG_MD5) and signatures are on the > (non-signature) header + compressed payload. Only the individual file > digests are on uncompressed data. > > - Panu - > > Thanks. This was explained on https://pagure.io/koji/issue/190 with instructions on how to verify. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Koji payload hash?
On 10/31/2016 05:17 PM, Florian Weimer wrote: On 10/21/2016 05:34 PM, Kevin Fenzi wrote: On Thu, 20 Oct 2016 16:42:02 + Christopherwrote: What is the "Payload Hash" in koji? It looks like an MD5, but of what? It's not the rpm... I've checked. Should koji be providing verification hashes for manual downloads of built RPMs? I think this would be useful for testing. http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409 I'm not sure either. I think it's the internal payload before adding the signatures, etc? It's the RPM_SIGTAG_MD5 RPM header: SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN): 003e0007ffa00010 SIGNATURE:SIGTAG_SHA1HEADER (STRING): "bbc33a4f6670d31817cd571de632f3190a72e1bf" SIGNATURE:SIGTAG_SIZE (INT32): 103674 SIGNATURE:SIGTAG_MD5 (BIN): cdf775308f76e659385444b50ee26a7a SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760 I'm not completely sure over which part of the RPM it is computed. I suspect over the non-signature header followed by the decompressed payload. All RPM v3 digests (so yes, RPM_SIGTAG_MD5) and signatures are on the (non-signature) header + compressed payload. Only the individual file digests are on uncompressed data. - Panu - ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Koji payload hash?
On 10/21/2016 05:34 PM, Kevin Fenzi wrote: On Thu, 20 Oct 2016 16:42:02 + Christopherwrote: What is the "Payload Hash" in koji? It looks like an MD5, but of what? It's not the rpm... I've checked. Should koji be providing verification hashes for manual downloads of built RPMs? I think this would be useful for testing. http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409 I'm not sure either. I think it's the internal payload before adding the signatures, etc? It's the RPM_SIGTAG_MD5 RPM header: SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN): 003e0007ffa00010 SIGNATURE:SIGTAG_SHA1HEADER (STRING): "bbc33a4f6670d31817cd571de632f3190a72e1bf" SIGNATURE:SIGTAG_SIZE (INT32): 103674 SIGNATURE:SIGTAG_MD5 (BIN): cdf775308f76e659385444b50ee26a7a SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760 I'm not completely sure over which part of the RPM it is computed. I suspect over the non-signature header followed by the decompressed payload. Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Koji payload hash?
On Thu, 20 Oct 2016 16:42:02 + Christopherwrote: > What is the "Payload Hash" in koji? > It looks like an MD5, but of what? It's not the rpm... I've checked. > Should koji be providing verification hashes for manual downloads of > built RPMs? I think this would be useful for testing. > > http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409 I'm not sure either. I think it's the internal payload before adding the signatures, etc? In any case if you want a change in koji behavior, best to ask that upstream: https://pagure.io/koji/issues kevin pgpP19_2rVx5E.pgp Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Koji payload hash?
What is the "Payload Hash" in koji? It looks like an MD5, but of what? It's not the rpm... I've checked. Should koji be providing verification hashes for manual downloads of built RPMs? I think this would be useful for testing. http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org