Cannot re-sign rpms built by obs in Fedora 9

Note that resigning the same rpm works ok using a SLES10sp1 box.

Created an attachment (id=245231)
hexdump -C smbios-utils-2.1.0-1.1.x86_64.rpm

hexdump -C smbios-utils-2.1.0-1.1.x86_64.rpm

BTW, here's the failure I was referring to:

[jbj@wellfleet tmp]$ rpm --addsign smbios-utils-2.1.0-1.1.x86_64.rpm
Enter pass phrase:
Pass phrase is good.
smbios-utils-2.1.0-1.1.x86_64.rpm:
rpm: header.c:1104: headerLoad: Assertion `(rpmint32_t)rdl >= 0' failed.
Aborted
[jbj@wellfleet tmp]$ rpm --version
rpm (RPM) 5.2.DEVEL

There's an assertion check that the offset field in the trailer region
that marks the end of the plaintext that is digitally signed had a
negative value stored originally.

The code is different in rpm-5.0, but a similar operation is performed in rpm4
as a sanity check on the "immutable header region" i.e the plaintext
that is digitally signed in a *.rpm package.

Here's the snippet of rpmdb/header.c code around the assertion failure:

...

        { rpmint32_t off = (rpmint32_t) ntohl(pe->offset);

            if (hdrchkData(off))
                goto errxit;
            if (off) {
/*@-sizeoftype@*/
                size_t nb = REGION_TAG_COUNT;
/*@=sizeoftype@*/
                rpmuint32_t * stei = memcpy(alloca(nb), dataStart + off, nb);
                rdl = (rpmuint32_t)-ntohl(stei[2]); /* negative offset */
assert((rpmint32_t)rdl >= 0); /* XXX insurance */
                ril = (rpmuint32_t)(rdl/sizeof(*pe));
                if (hdrchkTags(ril) || hdrchkData(rdl))
                    goto errxit;
                entry->info.tag = (rpmuint32_t) htonl(pe->tag);
            } else {
                ril = il;
                /*@-sizeoftype@*/
                rdl = (rpmuint32_t)(ril * sizeof(struct entryInfo_s));
                /*@=sizeoftype@*/
                entry->info.tag = HEADER_IMAGE;
            }
        }
        entry->info.offset = (rpmint32_t) -rdl; /* negative offset */

...

I've rebuilt the src.rpm on Fedora 10beta (note rpm-5.2 and i386 are different, can't be helped).

I'm able to sign and resign the packages I've built.

I've put the original packages (from mebrown) at
    http://wraptastic.org/pub/jbj
as well as the packages I've rebuilt (my build does not have the ".fc9" distag in the name).

hth

This also appears to affect yum-arch. While trying to add repository metadata for my RHEL 4 repository using yum-arch, I see that yum-arch thinks that all of the RPMs are invalid and refuses to create repo metadata.

Ok, please ignore comment #5 for now. I am unable to reproduce this behaviour today. :(

Comment #5 ignored.

But you are likely to see this error reproduced by many applications, its
a flaw on the primary means of reading headers, and is a difference in what
values are expected in the header format, afaict from afar.

Closing for now, as this seems outdated and hard to reproduce. Reopen if needed.