[Rpm-metadata] Createrepo sha1 hash problem

James Antill james at fedoraproject.org
Fri May 21 16:07:13 UTC 2010

On Thu, 2010-05-20 at 15:26 -0700, Joshua Bahnsen wrote:
> When createrepo 0.4.11 caches the SHA1 hash, it appears to store the
> SHA1 hash value in a file that looks like this:
> <filename>-<sha1header>-<filesize>-<mtime>
> Unfortunately this isn't enough... 
> Take for example these 2 files:
> http://msync.centos.org/centos/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
> http://msync.centos.org/centos/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
> All 4 items used to store the hash are exactly the same
> cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm-9d85fb047de144d46c75159cc938b540298d626e-27426-1269710765
> However the actual hash values of these 2 files are in fact different.


> I've traced this back to the GPG signature. You'll see they are signed
> with the same signature, however after removing the signature from
> both files we are left with 2 identical files, meaning the actual
> contents of the RPM are the same. If you dump the RPM header, you'll
> see the only difference is the GPG signature.

 It might be worth fixing this in createrepo, _however_ I'd strongly
recommend not signing the same file twice ... and thus. generating an
extra download for all users/mirrors/etc.

More information about the Rpm-metadata mailing list