subject:"Re\: Koji payload hash\?"

Re: Koji payload hash?

2016-10-31 Thread Christopher

On Mon, Oct 31, 2016 at 12:01 PM Panu Matilainen 
wrote:

> On 10/31/2016 05:17 PM, Florian Weimer wrote:
> > On 10/21/2016 05:34 PM, Kevin Fenzi wrote:
> >> On Thu, 20 Oct 2016 16:42:02 +
> >> Christopher  wrote:
> >>
> >>> What is the "Payload Hash" in koji?
> >>> It looks like an MD5, but of what? It's not the rpm... I've checked.
> >>> Should koji be providing verification hashes for manual downloads of
> >>> built RPMs? I think this would be useful for testing.
> >>>
> >>> http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409
> >>
> >> I'm not sure either. I think it's the internal payload before adding
> >> the signatures, etc?
> >
> > It's the RPM_SIGTAG_MD5 RPM header:
> >
> >   SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN):
> > 003e0007ffa00010
> >   SIGNATURE:SIGTAG_SHA1HEADER (STRING):
> > "bbc33a4f6670d31817cd571de632f3190a72e1bf"
> >   SIGNATURE:SIGTAG_SIZE (INT32): 103674
> >   SIGNATURE:SIGTAG_MD5 (BIN):
> > cdf775308f76e659385444b50ee26a7a
> >   SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760
> >
> > I'm not completely sure over which part of the RPM it is computed.  I
> > suspect over the non-signature header followed by the decompressed
> payload.
>
> All RPM v3 digests (so yes, RPM_SIGTAG_MD5) and signatures are on the
> (non-signature) header + compressed payload. Only the individual file
> digests are on uncompressed data.
>
> - Panu -
>
>

Thanks. This was explained on https://pagure.io/koji/issue/190 with
instructions on how to verify.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Koji payload hash?

2016-10-31 Thread Panu Matilainen


On 10/31/2016 05:17 PM, Florian Weimer wrote:

On 10/21/2016 05:34 PM, Kevin Fenzi wrote:

On Thu, 20 Oct 2016 16:42:02 +
Christopher  wrote:


What is the "Payload Hash" in koji?
It looks like an MD5, but of what? It's not the rpm... I've checked.
Should koji be providing verification hashes for manual downloads of
built RPMs? I think this would be useful for testing.

http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409


I'm not sure either. I think it's the internal payload before adding
the signatures, etc?


It's the RPM_SIGTAG_MD5 RPM header:

  SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN):
003e0007ffa00010
  SIGNATURE:SIGTAG_SHA1HEADER (STRING):
"bbc33a4f6670d31817cd571de632f3190a72e1bf"
  SIGNATURE:SIGTAG_SIZE (INT32): 103674
  SIGNATURE:SIGTAG_MD5 (BIN):
cdf775308f76e659385444b50ee26a7a
  SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760

I'm not completely sure over which part of the RPM it is computed.  I
suspect over the non-signature header followed by the decompressed payload.


All RPM v3 digests (so yes, RPM_SIGTAG_MD5) and signatures are on the 
(non-signature) header + compressed payload. Only the individual file 
digests are on uncompressed data.


- Panu -
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Koji payload hash?

2016-10-31 Thread Florian Weimer


On 10/21/2016 05:34 PM, Kevin Fenzi wrote:

On Thu, 20 Oct 2016 16:42:02 +
Christopher  wrote:


What is the "Payload Hash" in koji?
It looks like an MD5, but of what? It's not the rpm... I've checked.
Should koji be providing verification hashes for manual downloads of
built RPMs? I think this would be useful for testing.

http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409


I'm not sure either. I think it's the internal payload before adding
the signatures, etc?


It's the RPM_SIGTAG_MD5 RPM header:

  SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN):
003e0007ffa00010
  SIGNATURE:SIGTAG_SHA1HEADER (STRING): 
"bbc33a4f6670d31817cd571de632f3190a72e1bf"

  SIGNATURE:SIGTAG_SIZE (INT32): 103674
  SIGNATURE:SIGTAG_MD5 (BIN):
cdf775308f76e659385444b50ee26a7a
  SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760

I'm not completely sure over which part of the RPM it is computed.  I 
suspect over the non-signature header followed by the decompressed payload.


Florian
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Koji payload hash?

2016-10-21 Thread Kevin Fenzi

On Thu, 20 Oct 2016 16:42:02 +
Christopher  wrote:

> What is the "Payload Hash" in koji?
> It looks like an MD5, but of what? It's not the rpm... I've checked.
> Should koji be providing verification hashes for manual downloads of
> built RPMs? I think this would be useful for testing.
> 
> http://koji.fedoraproject.org/koji/rpminfo?rpmID=8351409

I'm not sure either. I think it's the internal payload before adding
the signatures, etc?

In any case if you want a change in koji behavior, best to ask that
upstream: 

https://pagure.io/koji/issues

kevin


pgpP19_2rVx5E.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Koji payload hash?

Re: Koji payload hash?

Re: Koji payload hash?

Re: Koji payload hash?

4 matches

Site Navigation

Mail list logo

Footer information