On 1/21/21 10:04 PM, Zbigniew Jędrzejewski-Szmek wrote:
On Thu, Jan 21, 2021 at 12:43:35PM +0100, Fabio Valentini wrote:
On Thu, Jan 21, 2021 at 12:39 PM Panu Matilainen <pmatilai@xxxxxxxxxx> wrote:
On 1/21/21 1:27 PM, Fabio Valentini wrote:
On Thu, Jan 21, 2021 at 12:22 PM Panu Matilainen <pmatilai@xxxxxxxxxx> wrote:
On 1/21/21 9:56 AM, Florian Weimer wrote:
With rpm-4.15.1-3.fc32.1.x86_64, I get this error:
$ rpm -qip https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/m/ModemManager-debugsource-1.14.10-1.fc34.aarch64.rpm
error: /var/tmp/rpm-tmp.6iU66n: signature hdr data: BAD, no. of bytes(88084) out of range
error: https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/m/ModemManager-debugsource-1.14.10-1.fc34.aarch64.rpm: not an rpm package (or package manifest)
Is this expected?
Certainly not.
It seems that rpm-4.16.1.2-1.fc33.x86_64 can parse the RPM just fine.
But rpm-4.14.3-4.el8.x86_64 does not like it, either.
Based on a quick random sampling, this would appear to be a very recent
thing, the only affected packages I could find (which doesn't mean
others couldn't exist) were built in the last few days, such as the
above and these:
https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/n/net-snmp-debugsource-5.9-4.fc34.aarch64.rpm
https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/aarch64/debug/tree/Packages/n/NetworkManager-debugsource-1.30.0-0.2.fc34.aarch64.rpm
...which were all built on Jan 18th. The only recent change to rpm is
the DWARF-5 support but based on changelogs that seems to have landed
the day after, so I dunno.
(snip)
Is it possible that this was triggered by switching on signed RPM contents?
If I understand the implementation correctly, it messes with the RPM headers.
Oh, I wasn't aware the file signing proposal had been approved, much
less enabled. I thought I raised "some objections" on the enablement of
the feature from rpm maintainer perspective.
It has *not* been approved (yet). Which is why I grumbled about
enabling the signing in production infra during yesterday's FESCo
meeting.
Oh, I didn't fully understand your comment at the time. I automatically assumed
that "enabled in production" only means that the *code* is there, i.e. that
the version of rpm has been updated in preparation.
Just to set the record straight, despite reading that way in places,
this change has not produced any code or patches on rpm side. Rpm has
supported IMA file signatures since 2015, but I'm not aware of any wide
use attempts before this. The original code placed the file signatures
in the main header, which was bad because this changed what is
considered immutable header section and invalidate any pre-existing
signatures and digests. The file signatures were moved to the signature
header in rpm 4.15, but we forgot to bump the size limit, that was only
discovered and done last year for 4.16.
- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
