[sles-beta] sha256sum apparmor-docs

Stefan Behlert behlert at suse.com
Wed Nov 25 06:59:46 MST 2015 

Moin,


On Nov 24, 15 09:54:16 +0000, markus.hubler at isc-ejpd.admin.ch wrote:
> Hi folks
> 
> It seems as if a package has a different sha256sum with Sles12 and Sles 12 SP1. It is the same version has been packaged at the same date. However the signature date is different. Beside from this  everything in these two packages is identical.
> 
> Signature   : RSA/SHA256, Fri 04 Sep 2015 03:04:45 PM CEST, Key ID 70af9e8139db7c82
> Signature   : RSA/SHA256, Fri 04 Sep 2015 03:05:40 PM CEST, Key ID 70af9e8139db7c82

It took me a while and several inquiries  to understand this.
First, both signatures are correct.

The explanation is this:
  - For an update, the packages are build in a repository.
  - From this repository the packages are taken to be released as
    maintenance update for SLE 12 and to be included on the SLE 12 SP1
    medium (if we have nothing newer for SP1).
  - Now, when the packages are taken for the update, the system resigns the
    packages it releases in the update channel, as the key (general
    speaking) could be different between the update channel and the build
    repository.
  - The ones in the build repository are _not_ resigned, but taken 'as is'.
  - For the SLE case, the key is identical for the build repository and the
    released packages.

That's the reason why you see different signature times for some
packages.

We have changed this behavior at some point in time, to have the same
signature (time), and not different ones. Unfortunately the package
you mentioned was handled before that change, so you see different
signature times there still. The other packages mentioned are most likely
also affected by that.

> At the end I have two different checksums. This leads to an installation
> problem when doing a new installation with cobbler (from Suse Manager).
> The machine does not refer to the rpm from sp1 but to the rpm from the
> update section from sp0.
> 
> The expected checksum of file  ....  is ... but the current checksum is ...
> 
> This means that the file has been changed by accident or by an attacker since the repository creator signed it. Using it is a big risk for the integrity and security of your system.
> 
> Use it anyway?
> 
> This message is shown for more than 10 packages...
> 
>  # sha256sum /var/spacewalk/instsrv/sles12_1/suse/noarch/apparmor-docs-2.8.2-36.1.noarch.rpm
> a727bebac6b8dd8fc18fd2df00782042b9612c5e31acbb3240d4b41373c44059  /var/spacewalk/instsrv/sles12_1/suse/noarch/apparmor-docs-2.8.2-36.1.noarch.rpm
> 
> # sha256sum /var/spacewalk/packages/NULL/df3/apparmor-docs/2.8.2-36.1/noarch/df366fb83e165d33866ae42a717658742069b5e3f5cba8629ddd52ddeabb434a/apparmor-docs-2.8.2-36.1.noarch.rpm
> df366fb83e165d33866ae42a717658742069b5e3f5cba8629ddd52ddeabb434a  /var/spacewalk/packages/NULL/df3/apparmor-docs/2.8.2-36.1/noarch/df366fb83e165d33866ae42a717658742069b5e3f5cba8629ddd52ddeabb434a/apparmor-docs-2.8.2-36.1.noarch.rpm
> 
> 
> Now my question: Is there a good way to work around this problem. Or are there any needs to fix this?

I'm not familiar enough  with neither cobbler nor SUSE Manager to answer
that, sorry. I've relayed this message to the responsible team, hoping they
can help you.


        ciao,
          Stefan

> 
> Regards
> Markus
> 
> _______________________________________________
> sles-beta mailing list
> sles-beta at lists.suse.com
> http://lists.suse.com/mailman/listinfo/sles-beta

-- 
Stefan Behlert, SUSE LINUX
Release Manager Enterprise Server
 
Maxfeldstr. 5, D-90409 Nuernberg, Germany
Phone +49-911-74053-173
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

More information about the sles-beta mailing list