apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kim Leng Goh" <kimleng....@gmail.com>
Subject Fwd: Fwd: Problem checking signature of httpd, apr, apr-util rpms
Date Wed, 12 Jul 2006 07:27:04 GMT
fyi, a quick reply from Mark:

On 7/12/06, Apache Security Response Team <security@apache.org> wrote:
> Dear Kim Leng Goh:
>
> This is actually a known problem with rpm signature checking.  rpm will
> not correctly validate a key where the public key contains signatures.
> Therefore you cannot simply rpm --import the httpd KEYS file (or even an
> extraction of one key from it).
>
> If you want to import a public key into rpm you need to import a clean
> version without signatures.  If this is not provided (as in this case)
> then you can only use "rpm --checksig -vv" which will validate the
> signature and show you the key used to sign.  Alternatively, upstream
> versions of rpm since 4.4.2 are known to fix this issue (unverified).
>
> For gory details see
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952
>
> Thank you, Mark
> --
> Mark J Cox
> Apache Software Foundation
>
> On Wed, 12 Jul 2006, Kim Leng Goh wrote:
>
> > Hi,
> >   I'm forwarding my email to the security mailing list as this appears
> > to be a security issue. Apologies if this is the wrong place.
> >
> >
> > ---------- Forwarded message ----------
> > [...]
> > Date: Jul 7, 2006 3:02 PM
> > Subject: Problem checking signature of httpd, apr, apr-util rpms
> > To: users@httpd.apache.org
> > Cc: minfrin@apache.org, dev@apr.apache.org
> >
> >
> > Hi all,
> >
> >   I encountered some problems with the KEYS at
> > http://www.apache.org/dist/httpd/KEYS and
> > http://www.apache.org/dist/apr/KEYS with the "rpm --checksig" or "rpm
> > -K" command on some of the rpms such as
> > http://www.apache.org/dist/httpd/binaries/rpm/SRPMS/httpd-2.0.58-1.src.rpm,
> > http://www.apache.org/dist/apr/binaries/rpm/SRPMS/apr-0.9.12-1.src.rpm,
> > http://www.apache.org/dist/apr/binaries/rpm/i386/apr-1.2.7-1.i386.rpm
> >
> > Without importing any public key, I get "NOKEY":
> >
> > # rpm -K -v httpd-2.0.58-1.src.rpm
> > httpd-2.0.58-1.src.rpm:
> >     Header V3 DSA signature: NOKEY, key ID 751d7f27
> >     Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95)
> >     MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216)
> >     V3 DSA signature: NOKEY, key ID 751d7f27
> >
> >
> > Using http://www.apache.org/dist/apr/KEYS, I extracted lines 513 to
> > 712 of the file into another file "KEYS.2":
> >
> > # head -712 KEYS|tail -200 > KEYS.2
> >
> > # rpm --import KEYS.2
> >
> > # rpm -qa|grep gpg
> > ...
> > gpg-pubkey-751d7f27-3ddd0dfa
> > ...
> >
> >
> > and I get "BAD":
> >
> > # rpm -K -v httpd-2.0.58-1.src.rpm
> > httpd-2.0.58-1.src.rpm:
> >     Header V3 DSA signature: BAD, key ID 751d7f27
> >     Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95)
> >     MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216)
> >     V3 DSA signature: BAD, key ID 751d7f27
> >
> >
> > If I use the key from
> > http://pgp.mit.edu:11371/pks/lookup?search=0x751D7F27&op=index
> > (e.g. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x751D7F27), I
> > get f88341d9 as the key ID. Apparently, f88341d9 should belong to Lars
> > Eilebrecht.
> >
> > # rpm --import KEYS.3
> > # rpm -qa|grep gpg
> > ...
> > gpg-pubkey-f88341d9-3ddd3c97
> > ...
> > gpg-pubkey-751d7f27-3ddd0dfa
> >
> > Regards,
> > KL
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: security-unsubscribe@apache.org
> > For additional commands, e-mail: security-help@apache.org
> >
> >
>
> --
>
>

Mime
View raw message