On 08/11/2017 03:44 AM, Kevin Fenzi wrote:
Sadly we ran into a problem...

as soon as the new rpm was in the rawhide buildroot and builds were made with 
it, things started piling up in f27-pending (the tag things land in after build 
so the autosigner can sign them and move them to f27).

It seems old rpm cannot read headers of rpms made with the new version, 
resulting in no signing. ;(

Patrick filed:

and untagged rpm 4.14 and all the things built after it landed in the 
buildroot. Those things will need to be built again now. ;(

The full story is in https://bugzilla.redhat.com/show_bug.cgi?id=1480407 but to summarize, this is actually a bug in rpm 4.13.x which is not ignoring unknown signature header tag like it should, older rpm versions are not affected. Also the bug only affects signature checking with rpmkeys -K, packages can still be installed and even signed without problems.

Rpm 4.13 needs to be updated in all active Fedora versions to correctly cope with it but that's going to take time and is not something I want to rush. So for the time being, I've disabled generation of the troublesome SHA256 header-only digest in 4.14 to be able to move on with it. We'll re-enable it once the updates to older versions have been completed, but there's no urgency to that now.

Apologies for the entirely unexpected hickup :-/

        - Panu -
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to