Hi Marx, Thanks for the quick reply. I'm cc-ing to the apache user's list for the benefit of others.
On 7/12/06, Apache Security Response Team <[EMAIL PROTECTED]> wrote:
Dear Kim Leng Goh: This is actually a known problem with rpm signature checking. rpm will not correctly validate a key where the public key contains signatures. Therefore you cannot simply rpm --import the httpd KEYS file (or even an extraction of one key from it). If you want to import a public key into rpm you need to import a clean version without signatures. If this is not provided (as in this case) then you can only use "rpm --checksig -vv" which will validate the signature and show you the key used to sign. Alternatively, upstream versions of rpm since 4.4.2 are known to fix this issue (unverified). For gory details see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952 Thank you, Mark -- Mark J Cox Apache Software Foundation On Wed, 12 Jul 2006, Kim Leng Goh wrote: > Hi, > I'm forwarding my email to the security mailing list as this appears > to be a security issue. Apologies if this is the wrong place. > > > ---------- Forwarded message ---------- > [...] > Date: Jul 7, 2006 3:02 PM > Subject: Problem checking signature of httpd, apr, apr-util rpms > To: users@httpd.apache.org > Cc: [EMAIL PROTECTED], dev@apr.apache.org > > > Hi all, > > I encountered some problems with the KEYS at > http://www.apache.org/dist/httpd/KEYS and > http://www.apache.org/dist/apr/KEYS with the "rpm --checksig" or "rpm > -K" command on some of the rpms such as > http://www.apache.org/dist/httpd/binaries/rpm/SRPMS/httpd-2.0.58-1.src.rpm, > http://www.apache.org/dist/apr/binaries/rpm/SRPMS/apr-0.9.12-1.src.rpm, > http://www.apache.org/dist/apr/binaries/rpm/i386/apr-1.2.7-1.i386.rpm > > Without importing any public key, I get "NOKEY": > > # rpm -K -v httpd-2.0.58-1.src.rpm > httpd-2.0.58-1.src.rpm: > Header V3 DSA signature: NOKEY, key ID 751d7f27 > Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95) > MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216) > V3 DSA signature: NOKEY, key ID 751d7f27 > > > Using http://www.apache.org/dist/apr/KEYS, I extracted lines 513 to > 712 of the file into another file "KEYS.2": > > # head -712 KEYS|tail -200 > KEYS.2 > > # rpm --import KEYS.2 > > # rpm -qa|grep gpg > ... > gpg-pubkey-751d7f27-3ddd0dfa > ... > > > and I get "BAD": > > # rpm -K -v httpd-2.0.58-1.src.rpm > httpd-2.0.58-1.src.rpm: > Header V3 DSA signature: BAD, key ID 751d7f27 > Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95) > MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216) > V3 DSA signature: BAD, key ID 751d7f27 > > > If I use the key from > http://pgp.mit.edu:11371/pks/lookup?search=0x751D7F27&op=index > (e.g. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x751D7F27), I > get f88341d9 as the key ID. Apparently, f88341d9 should belong to Lars > Eilebrecht. > > # rpm --import KEYS.3 > # rpm -qa|grep gpg > ... > gpg-pubkey-f88341d9-3ddd3c97 > ... > gpg-pubkey-751d7f27-3ddd0dfa > > Regards, > KL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
