Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 77133 invoked from network); 12 Jul 2006 07:27:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 12 Jul 2006 07:27:29 -0000 Received: (qmail 19844 invoked by uid 500); 12 Jul 2006 07:27:28 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 19794 invoked by uid 500); 12 Jul 2006 07:27:28 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 19783 invoked by uid 99); 12 Jul 2006 07:27:28 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jul 2006 00:27:28 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of kimleng.goh@gmail.com designates 66.249.92.174 as permitted sender) Received: from [66.249.92.174] (HELO ug-out-1314.google.com) (66.249.92.174) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jul 2006 00:27:26 -0700 Received: by ug-out-1314.google.com with SMTP id m2so173949uge for ; Wed, 12 Jul 2006 00:27:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IaF/aNHWF4yXOqBZXfEaLNA0iVEVhC332F+hqUN9UWv+yHolP+BVRncAcW4aUxoTHr7gQunvRVkDO5LRdc5pht7akCFIo2enUO0OxIAA1TsyLENoFsj8dvfw+yPzMpGF4sJCz8AiTNdzc8zdWJpZ6zYV53MILZDNji8ZNKW/MVo= Received: by 10.67.101.10 with SMTP id d10mr321663ugm; Wed, 12 Jul 2006 00:27:04 -0700 (PDT) Received: by 10.67.103.17 with HTTP; Wed, 12 Jul 2006 00:27:04 -0700 (PDT) Message-ID: Date: Wed, 12 Jul 2006 15:27:04 +0800 From: "Kim Leng Goh" To: minfrin@apache.org, dev@apr.apache.org Subject: Fwd: Fwd: Problem checking signature of httpd, apr, apr-util rpms In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N fyi, a quick reply from Mark: On 7/12/06, Apache Security Response Team wrote: > Dear Kim Leng Goh: > > This is actually a known problem with rpm signature checking. rpm will > not correctly validate a key where the public key contains signatures. > Therefore you cannot simply rpm --import the httpd KEYS file (or even an > extraction of one key from it). > > If you want to import a public key into rpm you need to import a clean > version without signatures. If this is not provided (as in this case) > then you can only use "rpm --checksig -vv" which will validate the > signature and show you the key used to sign. Alternatively, upstream > versions of rpm since 4.4.2 are known to fix this issue (unverified). > > For gory details see > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952 > > Thank you, Mark > -- > Mark J Cox > Apache Software Foundation > > On Wed, 12 Jul 2006, Kim Leng Goh wrote: > > > Hi, > > I'm forwarding my email to the security mailing list as this appears > > to be a security issue. Apologies if this is the wrong place. > > > > > > ---------- Forwarded message ---------- > > [...] > > Date: Jul 7, 2006 3:02 PM > > Subject: Problem checking signature of httpd, apr, apr-util rpms > > To: users@httpd.apache.org > > Cc: minfrin@apache.org, dev@apr.apache.org > > > > > > Hi all, > > > > I encountered some problems with the KEYS at > > http://www.apache.org/dist/httpd/KEYS and > > http://www.apache.org/dist/apr/KEYS with the "rpm --checksig" or "rpm > > -K" command on some of the rpms such as > > http://www.apache.org/dist/httpd/binaries/rpm/SRPMS/httpd-2.0.58-1.src.rpm, > > http://www.apache.org/dist/apr/binaries/rpm/SRPMS/apr-0.9.12-1.src.rpm, > > http://www.apache.org/dist/apr/binaries/rpm/i386/apr-1.2.7-1.i386.rpm > > > > Without importing any public key, I get "NOKEY": > > > > # rpm -K -v httpd-2.0.58-1.src.rpm > > httpd-2.0.58-1.src.rpm: > > Header V3 DSA signature: NOKEY, key ID 751d7f27 > > Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95) > > MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216) > > V3 DSA signature: NOKEY, key ID 751d7f27 > > > > > > Using http://www.apache.org/dist/apr/KEYS, I extracted lines 513 to > > 712 of the file into another file "KEYS.2": > > > > # head -712 KEYS|tail -200 > KEYS.2 > > > > # rpm --import KEYS.2 > > > > # rpm -qa|grep gpg > > ... > > gpg-pubkey-751d7f27-3ddd0dfa > > ... > > > > > > and I get "BAD": > > > > # rpm -K -v httpd-2.0.58-1.src.rpm > > httpd-2.0.58-1.src.rpm: > > Header V3 DSA signature: BAD, key ID 751d7f27 > > Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95) > > MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216) > > V3 DSA signature: BAD, key ID 751d7f27 > > > > > > If I use the key from > > http://pgp.mit.edu:11371/pks/lookup?search=0x751D7F27&op=index > > (e.g. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x751D7F27), I > > get f88341d9 as the key ID. Apparently, f88341d9 should belong to Lars > > Eilebrecht. > > > > # rpm --import KEYS.3 > > # rpm -qa|grep gpg > > ... > > gpg-pubkey-f88341d9-3ddd3c97 > > ... > > gpg-pubkey-751d7f27-3ddd0dfa > > > > Regards, > > KL > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: security-unsubscribe@apache.org > > For additional commands, e-mail: security-help@apache.org > > > > > > -- > >