[gobolinux-devel] More problems with signing

Thu, 01 Jun 2006 02:20:35 -0700

I'm working on getting an XFCE release done, both as recipes and as packages, but I cannot create a package from one of the programs included, EXO. I get this error everytime: 

]CreatePackage exo
CreatePackage: Creating package for EXO 0.3.1.6beta1.
VerifyProgram: Verifying signature...
VerifyProgram: Signature OK
VerifyProgram: Verifying FileHash...
VerifyProgram: FileHash check failed: lib/python2.4/site-packages/exo-0.3/exo/__init__.pyo not found in hashfile 
lib/python2.4/site-packages/pyexo.pyo not found in hashfile
lib/python2.4/site-packages/exo-0.3/exo/__init__.pyo not found in hashfile
lib/python2.4/site-packages/pyexo.pyo not found in hashfileCreatePackage: Unable to verify package. Do not redistribute 


Here you see that each error is printed twice (which is corrected with  
attached patch). This error exists because VerifyProgram (and Hashes) and  
SignProgram use different methods to list which files that should be  
included in the hash sum, see below.
I've tried to regenerate the hash with Hashes, but after I've corrected  
the bug with double quotes (see patch), CreatePackage thinks that every  
file is modified! After a closer look I found that Hashes uses md5sum,  
while Check_FileHash() (in Functions/File), which is called from  
VerifyProgram uses sha1sum. So I modified Hashes to use sha1sum as well  
(as most programs are signed with functions from Functions/File, which use  
sha1sum) (attached patch). Maybe one should make Hashes use the functions  
in Functions/File instead, so that one don't have to update more than one  
file when changing something.



Still the problem with SignProgram exists as SignProgram uses  
ListProgramFiles, which excludes .pyc and .pyo, among others, from  
listing, when calculating hash sums, while Hashes (and VerifyProgram) uses  
'find', which lists all files. Either SignProgram should use 'find' as  
well or VerifyProgram (and Hashes) should use ListProgramFiles. It depends  
on if .pyc and .pyo files should be redistributable. Until then I fall  
back to Hashes, when these problems arise.


--
/Jonas

Using Opera's revolutionary e-mail client: http://www.opera.com/mail/


Attachment:
Hashes_double_quote.patch

Description: Binary data



Attachment:
VerifyProgram_double_printouts.patch

Description: Binary data



Attachment:
Hashes_sha1sum.patch

Description: Binary data


_______________________________________________
gobolinux-devel mailing list
gobolinux-devel@lists.gobolinux.org
http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel






















					Reply via email to