Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2183489

Summary: can't rpm erase, package with invalid hash lodged inside rpmdb
Product: [Fedora] Fedora Reporter: Ganapathi Kamath <hgkamath>
Component: rpmAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: igor.raits, mdomonko, packaging-team-maint, pmatilai, vmukhame
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-31 11:06:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ganapathi Kamath 2023-03-31 10:58:14 UTC
upstream bug:  
can't rpm erase, package with invalid hash lodged inside rpmdb #2460  
https://github.com/rpm-software-management/rpm/issues/2460  


Description of problem:
rpm query commands on invocation show annoying/distracting hash/digest errors.

When using rpm I think there are two non-easily identifiable packages are messed up.
The ```rpm -e``` erase option does not have a ```--nodigest``` argument unlike the install/upgrade/verify options. 
The below logs show that unnamed packages through up hashdigest errors.
From the key signature ```a109b1ec``` I deduced the packages to be livna-release and libdvdcss.

I recently did an upgrade from fedora-37 to fedora-38, 
For the most part, other than a few dependency hiccups with some packages like ffmpeg-libs, libplacebo, libchromapaint, which were resolved, the update went smoothly. Fedora-38 boots and works with no issues.  

So my question is, how can I fix this?
  Attempting to force install livna-release is also not possible
  I have tried moving out the gpgkeys manually from /etc/pki and /etc/yum.repos.d, no effect. 

Logs
```
[root@sirius livna]# rpm -qa > /dev/null # just to see the stderr
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK

[root@sirius livna]#  rpm -e livna-release
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK

[root@sirius livna]#  rpm -e libdvdcss
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK

[root@sirius livna]# rpm -e livna-release --nodeps --justdb
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK


[root@sirius livna]# rpm -i ./livna-release-1-1.noarch.rpm
error: ./livna-release-1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
error: ./livna-release-1-1.noarch.rpm cannot be installed

[root@sirius livna]# rpm -i ./livna-release-1-1.noarch.rpm --force
error: ./livna-release-1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
error: ./livna-release-1-1.noarch.rpm cannot be installed

[root@sirius livna]# rpm -qa | grep -Ei "^rpm-4|rpm-l"
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
rpm-libs-4.18.1-1.fc38.x86_64
rpm-4.18.1-1.fc38.x86_64

[root@sirius livna]# uname -a
Linux sirius 6.2.8-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 22 19:29:30 UTC 2023 x86_64 GNU/Linux

[root@sirius livna]# cat /etc/os-release | grep -E "^NAME=|^VERSION="
NAME="Fedora Linux"
VERSION="38 (Workstation Edition Prerelease)"

```

Version-Release number of selected component (if applicable):
rpm-4.18.1-1

How reproducible:
Its not exactly redo-able on an already installed/upgraded machine. Seems like a one time thing if you get it into this state. 

Steps to Reproduce:
See logs given above

Actual results:
See logs given above

Expected results:
no error message should be visible

Additional info:
none at the moment
verbose argument -vvv doesn't show anything interesting, other than it reading other GPG keys.

Comment 1 Panu Matilainen 2023-03-31 11:06:44 UTC
Update to latest rpm-sequoia and crypto-policies. More details in bug 2170878.

*** This bug has been marked as a duplicate of bug 2170878 ***

Comment 2 Ganapathi Kamath 2023-03-31 12:17:20 UTC
Thanks Panu


LOGS
[root@sirius livna]# rpm -qa >/dev/null
error: rpmdbNextIterator: skipping h#      17 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
error: rpmdbNextIterator: skipping h#      19 
Header V4 DSA/SHA1 Signature, key ID a109b1ec: BAD
Header SHA1 digest: OK
[root@sirius livna]# rpm -q --nosignature --querybynumber 17
livna-release-1-1.noarch
[root@sirius livna]# rpm -q --nosignature --querybynumber 19
libdvdcss-1.4.0-1.fc24.remi.x86_64
[root@sirius livna]# rpm -e --nosignature libdvdcss-1.4.0-1.fc24.remi.x86_64 
[root@sirius livna]# rpm -e --nosignature livna-release-1-1.noarch
[root@sirius livna]# 

[root@sirius livna]# rpm -qa >/dev/null
[root@sirius livna]# rpm -q crypto-policies rpm-sequoia
crypto-policies-20230301-1.gita12f7b2.fc38.noarch
rpm-sequoia-1.3.0-1.fc38.x86_64
[root@sirius livna]# update-crypto-policies --show 
DEFAULT


MISC
Collecting some links here found while reading 
20230217 Insecure installed RPMs (like Google Chrome) prevent system updates in F38, can't be removed 
https://bugzilla.redhat.com/show_bug.cgi?id=2170878 : 

- 20230230 Kamil Páral Third-party RPMs with an invalid signing key might cause errors during package operations  
  https://discussion.fedoraproject.org/t/third-party-rpms-with-an-invalid-signing-key-might-cause-errors-during-package-operations/80077
- 20230227 Kamil Páral Talk: Popular third-party RPMs fail to install/update/remove due to security policies verification 
  https://discussion.fedoraproject.org/t/talk-popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70379/1
- 20230208 Kamil Páral Popular third-party RPMs fail to install/update/remove due to security policies verification
  https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498
- 20230330 Rebuild to pull in cryptographic fixes for RPM 
  https://bugzilla.redhat.com/show_bug.cgi?id=2183038 
- 20230131 Kevin/Nirik error: rpmdbNextIterator: skipping in Fedora 38+
  https://www.scrye.com/wordpress/nirik/2023/01/31/error-rpmdbnextiterator-skipping-in-fedora-38/ 


I gather there are two options
a) either add SHA1 to the crypto policy
b) rpm-erase the troublesome apps, and wait for the repositories to update to stronger GPG keys