View Issue Details

IDProjectCategoryView StatusLast Update
0018058CentOS-7-OTHERpublic2021-02-15 13:18
Reporterpjwelsh Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Product Version7.9.2009 
Summary0018058: altarch LTS 5.4 Kernel repo x86_64 perl-generators and perl-interpreter "--checksig" fail?
DescriptionDue to past package corruption issues on systems, I include an "rpm --checksig" for all packages. Recently, the centos-kernel/x86_64/Packages/{perl-generators-1.08-6.el7.noarch.rpm,perl-interpreter-5.16.3-6.el7.noarch.rpm} have been failing the check and my reposync fails as a result.

So, downloading the files (from 2018) directly from http://mirror.centos.org/centos/7/updat ... /Packages/ produces the same failed key/"digests SIGNATURES NOT OK"/"NOKEY" results:
$ rpm --checksig perl-generators-1.08-6.el7.noarch.rpm
perl-generators-1.08-6.el7.noarch.rpm: digests SIGNATURES NOT OK
[
$ rpm --checksig perl-interpreter-5.16.3-6.el7.noarch.rpm
perl-interpreter-5.16.3-6.el7.noarch.rpm: digests SIGNATURES NOT OK

$ rpm -v --checksig perl-interpreter-5.16.3-6.el7.noarch.rpm
perl-interpreter-5.16.3-6.el7.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID 62505fe6: NOKEY
    Header SHA1 digest: OK
    V3 RSA/SHA256 Signature, key ID 62505fe6: NOKEY
    MD5 digest: OK

$ rpm -v --checksig perl-generators-1.08-6.el7.noarch.rpm
perl-generators-1.08-6.el7.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID 62505fe6: NOKEY
    Header SHA1 digest: OK
    V3 RSA/SHA256 Signature, key ID 62505fe6: NOKEY
    MD5 digest: OK

$ rpm -qf /etc/yum.repos.d/CentOS-x86_64-kernel.repo
centos-release-7-9.2009.1.el7.centos.x86_64

No other files seem affected at this point.
Any idea what's going on?
Steps To ReproduceVisit http://mirror.centos.org/altarch/7/kernel/x86_64/Packages/ and grab perl-generators-1.08-6.el7.noarch.rpm and perl-interpreter-5.16.3-6.el7.noarch.rpm (http://mirror.centos.org/altarch/7/kernel/x86_64/Packages/perl-generators-1.08-6.el7.noarch.rpm and http://mirror.centos.org/altarch/7/kernel/x86_64/Packages/perl-interpreter-5.16.3-6.el7.noarch.rpm)

rpm --checksig perl-generators-1.08-6.el7.noarch.rpm
rpm --checksig perl-interpreter-5.16.3-6.el7.noarch.rpm

Both produce "digests SIGNATURES NOT OK"
TagsNo tags attached.
abrt_hash
URL

Activities

JohnnyHughes

JohnnyHughes

2021-02-10 17:53

administrator   ~0038239

This is likely an altarch key issue .. let me see what key this version is signed with.
pjwelsh

pjwelsh

2021-02-14 14:52

reporter   ~0038245

Any word on this "key" issue for these RPMs? Thank You.
pjwelsh

pjwelsh

2021-02-15 13:18

reporter   ~0038247

This may not be related, but I've been also having issues with a couple of other packages recently. I've been noticing that a very recent set of updates to flatpak* have triggered some odd behavior with my reposync (from my log file):
(1/4): flatpak-devel-1.0.9 0% [ ] 0.0 B/s | 0 B --:-- ETA ^M^Mflatpak-1.0.9-10.el7_9.x86_64. FAILED
(1/4): flatpak-builder-1.0 0% [ ] 0.0 B/s | 0 B --:-- ETA ^M^Mflatpak-builder-1.0.0-10.el7_9 FAILED
(1/4): flatpak-builder-1.0 0% [ ] 0.0 B/s | 0 B --:-- ETA ^M^Mflatpak-libs-1.0.9-10.el7_9.x8 FAILED
(1/4): flatpak-libs-1.0.9- 0% [ ] 0.0 B/s | 0 B --:-- ETA ^M^Mflatpak-1.0.9-10.el7_9.x86_64. FAILED
(1/4): flatpak-devel-1.0.9 0% [ ] 0.0 B/s | 0 B --:-- ETA ^M^Mflatpak-builder-1.0.0-10.el7_9 FAILED
...

When checking what was going on, I started with the checking all of the signatures and they all pass:
# rpm --checksig flatpak-*
flatpak-1.0.9-10.el7_9.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
flatpak-builder-1.0.0-10.el7_9.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
flatpak-devel-1.0.9-10.el7_9.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
flatpak-libs-1.0.9-10.el7_9.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

However, on another system with this issue (all had it) I removed the flatpak files and *successfully* ran the reposync again. I was *very surprised* to see the same file names but flatpak-1.0.9-10.el7_9.x86_64.rpm was not a different *size* between the systems:
[root@AAA Packages]# ll flatpak-*
-rw-r--r-- 2 root root 980556 Feb 5 09:57 flatpak-1.0.9-10.el7_9.x86_64.rpm

[root@BBB Packages]# ll flatpak-*
-rw-r--r-- 2 root root 980548 Feb 8 13:32 flatpak-1.0.9-10.el7_9.x86_64.rpm

BUT they both checkout with signature with the same name:
[root@AAA Packages]# rpm -v --checksig flatpak-1.0.9-10.el7_9.x86_64.rpm
flatpak-1.0.9-10.el7_9.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID f4a80eb5: OK
    Header SHA1 digest: OK (16c93d51701eebcf36b0d501e9601b1a3887249f)
    V3 RSA/SHA256 Signature, key ID f4a80eb5: OK
    MD5 digest: OK (6dc80874fbe2aa6650b180e6d28960f2)

[root@BBB Packages]# rpm -v --checksig flatpak-1.0.9-10.el7_9.x86_64.rpm
flatpak-1.0.9-10.el7_9.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID f4a80eb5: OK
    Header SHA1 digest: OK (16c93d51701eebcf36b0d501e9601b1a3887249f)
    V3 RSA/SHA256 Signature, key ID f4a80eb5: OK
    MD5 digest: OK (6dc80874fbe2aa6650b180e6d28960f2)

But they are *NOT* the same !!???
[root@AAA Packages]# md5sum flatpak-1.0.9-10.el7_9.x86_64.rpm
e26948e512b040ac08dfc6dea1fe3534 flatpak-1.0.9-10.el7_9.x86_64.rpm

[root@BBB Packages]# md5sum flatpak-1.0.9-10.el7_9.x86_64.rpm
1ebad9329ac01436f42d75413bbc1366 flatpak-1.0.9-10.el7_9.x86_64.rpm

And looking at the package info, the signature date is different:
AAA = Signature : RSA/SHA256, Fri 05 Feb 2021 09:57:11 AM CST, Key ID 24c6a8a7f4a80eb5
BBB = Signature : RSA/SHA256, Mon 08 Feb 2021 01:32:32 PM CST, Key ID 24c6a8a7f4a80eb5

Issue History

Date Modified Username Field Change
2021-02-10 15:41 pjwelsh New Issue
2021-02-10 17:37 toracat Status new => assigned
2021-02-10 17:53 JohnnyHughes Note Added: 0038239
2021-02-14 14:52 pjwelsh Note Added: 0038245
2021-02-15 13:18 pjwelsh Note Added: 0038247