21 Apr
2009
21 Apr
'09
10:44 p.m.
Jeff Johnson wrote:
On Apr 21, 2009, at 6:10 PM, Jeff Johnson wrote:
Its easy enough to create a reproducer:
- build some package
- use dd to truncate some of the payload.
- sign the package
- verify the signature.
If this reproduces the issue, I can pretty easily send you a patch that compares before and after header+payload MD5 digest and warns/errors if the two values do not match while signing.
then you'd have to send to the upstream rpm, but i'd be more happy to fix #495689 and be able to use 5.3's rpm with mock-0.9 instead of 5.2's rpm:-)
--
Levente "Si vis pacem para bellum!"