[opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install
Greetings: When using the OBS signing service, we observe errors during rpm installation in Redhat 7 x86_64 builds, related to keys in the rpm headers. For example, after we build and sign the perl-Authen-NTLM rpm, we see this in a downstream project that attempts to install it: installing perl-Authen-NTLM-1.02-1.3 error: .init_b_cache/perl-Authen-NTLM.rpm: rpmReadSignature failed: sigh load: BAD Research on rpmReadSignature errors reveals rpm header corruption as the root cause.
From https://bugzilla.redhat.com/show_bug.cgi?id=822255, detailing rpm read errors: Those mono packages have a slightly malformed signature header, which rpm prior to the recent security fixes didn't notice. The exact issue is that the signature header of those packages contain alignment for data types which are not supposed to be aligned, causing the expected vs calculated size to mismatch.
Is there an OpenSuse Build service fix available (or planned) for the signer service? If not, is there a workaround available that allows us to turn off signing for selected projects and Operating system configurations? Thanks. Jeff Glanz Dell | PG Release Engineering Team office + 1 512 724 9509 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Fri, Oct 25, 2013 at 02:26:43PM +0000, Jeff_Glanz@Dell.com wrote:
When using the OBS signing service, we observe errors during rpm installation in Redhat 7 x86_64 builds, related to keys in the rpm headers.
For example, after we build and sign the perl-Authen-NTLM rpm, we see this in a downstream project that attempts to install it:
installing perl-Authen-NTLM-1.02-1.3 error: .init_b_cache/perl-Authen-NTLM.rpm: rpmReadSignature failed: sigh load: BAD
Research on rpmReadSignature errors reveals rpm header corruption as the root cause.
Maybe you're using an old version of "obs-signd", we fixed a bug in late 2011 that caused corrupted headers in some cases. If that's not the issue you'll have to send me the corrupt rpm and I'll try to figure out what went wrong. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Michael: We are using this version of signd, built in 2010. obs-signd-2.1.2-1.1 Name : obs-signd Relocations: (not relocatable) Version : 2.1.2 Vendor: openSUSE Build Service Release : 1.1 Build Date: Wed Nov 3 22:57:22 2010 Install Date: Fri Apr 29 12:44:47 2011 Build Host: build12 Group : Productivity/Networking/Web/Utilities Source RPM: obs-signd-2.1.2-1.1.src.rpm Size : 77799 License: GPL Signature : DSA/SHA1, Wed Nov 3 22:57:32 2010, Key ID 85753aa5eefefde9 URL : http://en.opensuse.org/Build_Service Summary : The sign daemon Description : The openSUSE Build Service sign client and daemon. This daemon can be used to sign anything via gpg, but it speaks with a remote server to avoid the need to host the private key on the same server. Authors: -------- The openSUSE Team <opensuse-buildservice@opensuse.org> Distribution: openSUSE:Tools / SLE_11_SP1 We'll download the later version and retry. I attached the corrupt rpm for your verification. Jeff Glanz Dell | PG Release Engineering Team office + 1 512 724 9509 -----Original Message----- From: Michael Schroeder [mailto:mls@suse.de] Sent: Friday, October 25, 2013 9:34 AM To: Glanz, Jeff Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: Re: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install On Fri, Oct 25, 2013 at 02:26:43PM +0000, Jeff_Glanz@Dell.com wrote:
When using the OBS signing service, we observe errors during rpm installation in Redhat 7 x86_64 builds, related to keys in the rpm headers.
For example, after we build and sign the perl-Authen-NTLM rpm, we see this in a downstream project that attempts to install it:
installing perl-Authen-NTLM-1.02-1.3 error: .init_b_cache/perl-Authen-NTLM.rpm: rpmReadSignature failed: sigh load: BAD
Research on rpmReadSignature errors reveals rpm header corruption as the root cause. Maybe you're using an old version of "obs-signd", we fixed a bug in late 2011 that caused corrupted headers in some cases. If that's not the issue you'll have to send me the corrupt rpm and I'll try to figure out what went wrong. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
We downloaded obs-signd-2.1.5-1.3.x86_64.rpm from: http://download.opensuse.org/repositories/openSUSE:/Tools:/2.3/SLE_11_SP2/x8... We'll give it a try. Thanks - Jeff G -----Original Message----- From: Glanz, Jeff Sent: Friday, October 25, 2013 10:02 AM To: mls@suse.de Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: RE: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install Michael: We are using this version of signd, built in 2010. obs-signd-2.1.2-1.1 Name : obs-signd Relocations: (not relocatable) Version : 2.1.2 Vendor: openSUSE Build Service Release : 1.1 Build Date: Wed Nov 3 22:57:22 2010 Install Date: Fri Apr 29 12:44:47 2011 Build Host: build12 Group : Productivity/Networking/Web/Utilities Source RPM: obs-signd-2.1.2-1.1.src.rpm Size : 77799 License: GPL Signature : DSA/SHA1, Wed Nov 3 22:57:32 2010, Key ID 85753aa5eefefde9 URL : http://en.opensuse.org/Build_Service Summary : The sign daemon Description : The openSUSE Build Service sign client and daemon. This daemon can be used to sign anything via gpg, but it speaks with a remote server to avoid the need to host the private key on the same server. Authors: -------- The openSUSE Team <opensuse-buildservice@opensuse.org> Distribution: openSUSE:Tools / SLE_11_SP1 We'll download the later version and retry. I attached the corrupt rpm for your verification. Jeff Glanz Dell | PG Release Engineering Team office + 1 512 724 9509 -----Original Message----- From: Michael Schroeder [mailto:mls@suse.de] Sent: Friday, October 25, 2013 9:34 AM To: Glanz, Jeff Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: Re: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install On Fri, Oct 25, 2013 at 02:26:43PM +0000, Jeff_Glanz@Dell.com wrote:
When using the OBS signing service, we observe errors during rpm installation in Redhat 7 x86_64 builds, related to keys in the rpm headers.
For example, after we build and sign the perl-Authen-NTLM rpm, we see this in a downstream project that attempts to install it:
installing perl-Authen-NTLM-1.02-1.3 error: .init_b_cache/perl-Authen-NTLM.rpm: rpmReadSignature failed: sigh load: BAD
Research on rpmReadSignature errors reveals rpm header corruption as the root cause. Maybe you're using an old version of "obs-signd", we fixed a bug in late 2011 that caused corrupted headers in some cases. If that's not the issue you'll have to send me the corrupt rpm and I'll try to figure out what went wrong. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Using the 2.3 version of the signd package resolved the issue. Thanks. Jeff Glanz Dell | PG Release Engineering Team office + 1 512 724 9509 -----Original Message----- From: Glanz, Jeff Sent: Friday, October 25, 2013 10:15 AM To: mls@suse.de Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: RE: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install We downloaded obs-signd-2.1.5-1.3.x86_64.rpm from: http://download.opensuse.org/repositories/openSUSE:/Tools:/2.3/SLE_11_SP2/x8... We'll give it a try. Thanks - Jeff G -----Original Message----- From: Glanz, Jeff Sent: Friday, October 25, 2013 10:02 AM To: mls@suse.de Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: RE: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install Michael: We are using this version of signd, built in 2010. obs-signd-2.1.2-1.1 Name : obs-signd Relocations: (not relocatable) Version : 2.1.2 Vendor: openSUSE Build Service Release : 1.1 Build Date: Wed Nov 3 22:57:22 2010 Install Date: Fri Apr 29 12:44:47 2011 Build Host: build12 Group : Productivity/Networking/Web/Utilities Source RPM: obs-signd-2.1.2-1.1.src.rpm Size : 77799 License: GPL Signature : DSA/SHA1, Wed Nov 3 22:57:32 2010, Key ID 85753aa5eefefde9 URL : http://en.opensuse.org/Build_Service Summary : The sign daemon Description : The openSUSE Build Service sign client and daemon. This daemon can be used to sign anything via gpg, but it speaks with a remote server to avoid the need to host the private key on the same server. Authors: -------- The openSUSE Team <opensuse-buildservice@opensuse.org> Distribution: openSUSE:Tools / SLE_11_SP1 We'll download the later version and retry. I attached the corrupt rpm for your verification. Jeff Glanz Dell | PG Release Engineering Team office + 1 512 724 9509 -----Original Message----- From: Michael Schroeder [mailto:mls@suse.de] Sent: Friday, October 25, 2013 9:34 AM To: Glanz, Jeff Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: Re: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install On Fri, Oct 25, 2013 at 02:26:43PM +0000, Jeff_Glanz@Dell.com wrote:
When using the OBS signing service, we observe errors during rpm installation in Redhat 7 x86_64 builds, related to keys in the rpm headers.
For example, after we build and sign the perl-Authen-NTLM rpm, we see this in a downstream project that attempts to install it:
installing perl-Authen-NTLM-1.02-1.3 error: .init_b_cache/perl-Authen-NTLM.rpm: rpmReadSignature failed: sigh load: BAD
Research on rpmReadSignature errors reveals rpm header corruption as the root cause. Maybe you're using an old version of "obs-signd", we fixed a bug in late 2011 that caused corrupted headers in some cases. If that's not the issue you'll have to send me the corrupt rpm and I'll try to figure out what went wrong. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Sorry, where redhat7 exists? :) On Oct 25, 2013, at 22:58 , Jeff_Glanz@Dell.com wrote:
Using the 2.3 version of the signd package resolved the issue. Thanks.
Jeff Glanz Dell | PG Release Engineering Team office + 1 512 724 9509
-----Original Message----- From: Glanz, Jeff Sent: Friday, October 25, 2013 10:15 AM To: mls@suse.de Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: RE: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install We downloaded obs-signd-2.1.5-1.3.x86_64.rpm from: http://download.opensuse.org/repositories/openSUSE:/Tools:/2.3/SLE_11_SP2/x8... We'll give it a try. Thanks - Jeff G -----Original Message----- From: Glanz, Jeff Sent: Friday, October 25, 2013 10:02 AM To: mls@suse.de Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: RE: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install Michael: We are using this version of signd, built in 2010. obs-signd-2.1.2-1.1 Name : obs-signd Relocations: (not relocatable) Version : 2.1.2 Vendor: openSUSE Build Service Release : 1.1 Build Date: Wed Nov 3 22:57:22 2010 Install Date: Fri Apr 29 12:44:47 2011 Build Host: build12 Group : Productivity/Networking/Web/Utilities Source RPM: obs-signd-2.1.2-1.1.src.rpm Size : 77799 License: GPL Signature : DSA/SHA1, Wed Nov 3 22:57:32 2010, Key ID 85753aa5eefefde9 URL : http://en.opensuse.org/Build_Service Summary : The sign daemon Description : The openSUSE Build Service sign client and daemon. This daemon can be used to sign anything via gpg, but it speaks with a remote server to avoid the need to host the private key on the same server. Authors: -------- The openSUSE Team <opensuse-buildservice@opensuse.org> Distribution: openSUSE:Tools / SLE_11_SP1 We'll download the later version and retry. I attached the corrupt rpm for your verification. Jeff Glanz Dell | PG Release Engineering Team office + 1 512 724 9509 -----Original Message----- From: Michael Schroeder [mailto:mls@suse.de] Sent: Friday, October 25, 2013 9:34 AM To: Glanz, Jeff Cc: opensuse-buildservice@opensuse.org; Li, Shaorong-Zhu; Cornick, Michael; Reddy, Nagesh Z; VAJRAV, VIJAYASARATHY Subject: Re: [opensuse-buildservice] RedHat 7 rpms signed with OBS signer do not install On Fri, Oct 25, 2013 at 02:26:43PM +0000, Jeff_Glanz@Dell.com wrote:
When using the OBS signing service, we observe errors during rpm installation in Redhat 7 x86_64 builds, related to keys in the rpm headers.
For example, after we build and sign the perl-Authen-NTLM rpm, we see this in a downstream project that attempts to install it:
installing perl-Authen-NTLM-1.02-1.3 error: .init_b_cache/perl-Authen-NTLM.rpm: rpmReadSignature failed: sigh load: BAD
Research on rpmReadSignature errors reveals rpm header corruption as the root cause. Maybe you're using an old version of "obs-signd", we fixed a bug in late 2011 that caused corrupted headers in some cases. If that's not the issue you'll have to send me the corrupt rpm and I'll try to figure out what went wrong. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (3)
-
Jeff_Glanz@Dell.com -
Kanstantsin Shautsou -
Michael Schroeder