[Rpm-metadata] Createrepo sha1 hash problem
Joshua Bahnsen
archrival at gmail.com
Thu May 20 22:26:57 UTC 2010
When createrepo 0.4.11 caches the SHA1 hash, it appears to store the SHA1
hash value in a file that looks like this:
<filename>-<sha1header>-<filesize>-<mtime>
Unfortunately this isn't enough...
Take for example these 2 files:
http://msync.centos.org/centos/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
http://msync.centos.org/centos/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
All 4 items used to store the hash are exactly the same
cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm-9d85fb047de144d46c75159cc938b540298d626e-27426-1269710765
However the actual hash values of these 2 files are in fact different.
$ sha1sum
/mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
c638101c869c17cdf0b2e67cec757c8d09aa6685
/mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
$ sha1sum
/mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
2b864de592354ec88394f064378c05f951d40ecc
/mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
I've traced this back to the GPG signature. You'll see they are signed with
the same signature, however after removing the signature from both files we
are left with 2 identical files, meaning the actual contents of the RPM are
the same. If you dump the RPM header, you'll see the only difference is the
GPG signature.
$ rpmsign -Kv
/mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
/mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm:
Header V3 DSA signature: OK, key ID e8562897
Header SHA1 digest: OK (9d85fb047de144d46c75159cc938b540298d626e)
MD5 digest: OK (33af7bab60f76189f16ea03622c7310c)
V3 DSA signature: OK, key ID e8562897
$ rpmsign -Kv
/mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
/mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm:
Header V3 DSA signature: OK, key ID e8562897
Header SHA1 digest: OK (9d85fb047de144d46c75159cc938b540298d626e)
MD5 digest: OK (33af7bab60f76189f16ea03622c7310c)
V3 DSA signature: OK, key ID e8562897
$ rpmsign
--delsign /mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
/mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm:
$ rpmsign
--delsign /mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
/mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm:
$ sha1sum
/mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
3093a878f00b800be3ff40661be395fa5b45001a
/mnt/storage/CentOS/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
$ sha1sum
/mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
3093a878f00b800be3ff40661be395fa5b45001a
/mnt/storage/CentOS/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
Can the caching file be extended to also include the SHA1 hash of the gpg
signature from the header to eliminate this problem?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.baseurl.org/pipermail/rpm-metadata/attachments/20100520/96c80a98/attachment.html>
More information about the Rpm-metadata
mailing list