Hi Jeff, thanks for looking into this.
On 04/21/2009 11:14 PM, Jeff Johnson wrote:
- build some package
- use dd to truncate some of the payload.
- sign the package
- verify the signature.
If this reproduces the issue, I can pretty easily send you a patch that compares before and after header+payload MD5 digest and warns/errors if the two values do not match while signing.
This is indeed a part of the situation. The signature was added to a file that wasent complete at the time.
however, the problem does not end there. The file on the master server was then refreshed with the complete srpm on the next rsync ( about 12 minutes later ) and resigned - but that package never made it down to the mirror's, they continued to run with the partial srpm even though they run a complete rsync every 15 minutes from the master.
Its getting a bit late now, but I will try and setup some tests for this over the next few days and see exactly what caused rsync to ignore this file inspite of timestamp and filesize being very different.