On Mon, Oct 31, 2016 at 12:01 PM Panu Matilainen <pmatilai@xxxxxxxxxxxxxxx> wrote:
On 10/31/2016 05:17 PM, Florian Weimer wrote:
> On 10/21/2016 05:34 PM, Kevin Fenzi wrote:
>> On Thu, 20 Oct 2016 16:42:02 +0000
>> Christopher <ctubbsii@xxxxxxxxxxxxxxxxx> wrote:
>>
>>> What is the "Payload Hash" in koji?
>>> It looks like an MD5, but of what? It's not the rpm... I've checked.
>>> Should koji be providing verification hashes for manual downloads of
>>> built RPMs? I think this would be useful for testing.
>>>
>>> http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409
>>
>> I'm not sure either. I think it's the internal payload before adding
>> the signatures, etc?
>
> It's the RPM_SIGTAG_MD5 RPM header:
>
> SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN):
> 0000003e00000007ffffffa000000010
> SIGNATURE:SIGTAG_SHA1HEADER (STRING):
> "bbc33a4f6670d31817cd571de632f3190a72e1bf"
> SIGNATURE:SIGTAG_SIZE (INT32): 103674
> SIGNATURE:SIGTAG_MD5 (BIN):
> cdf775308f76e659385444b50ee26a7a
> SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760
>
> I'm not completely sure over which part of the RPM it is computed. I
> suspect over the non-signature header followed by the decompressed payload.
All RPM v3 digests (so yes, RPM_SIGTAG_MD5) and signatures are on the
(non-signature) header + compressed payload. Only the individual file
digests are on uncompressed data.
- Panu -
Thanks. This was explained on https://pagure.io/koji/issue/190 with instructions on how to verify.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx