Comment 3 for bug 638591

BTW, here's the failure I was referring to:

[jbj@wellfleet tmp]$ rpm --addsign smbios-utils-2.1.0-1.1.x86_64.rpm
Enter pass phrase:
Pass phrase is good.
smbios-utils-2.1.0-1.1.x86_64.rpm:
rpm: header.c:1104: headerLoad: Assertion `(rpmint32_t)rdl >= 0' failed.
Aborted
[jbj@wellfleet tmp]$ rpm --version
rpm (RPM) 5.2.DEVEL

There's an assertion check that the offset field in the trailer region
that marks the end of the plaintext that is digitally signed had a
negative value stored originally.

The code is different in rpm-5.0, but a similar operation is performed in rpm4
as a sanity check on the "immutable header region" i.e the plaintext
that is digitally signed in a *.rpm package.

Here's the snippet of rpmdb/header.c code around the assertion failure:

...

        { rpmint32_t off = (rpmint32_t) ntohl(pe->offset);

            if (hdrchkData(off))
                goto errxit;
            if (off) {
/*@-sizeoftype@*/
                size_t nb = REGION_TAG_COUNT;
/*@=sizeoftype@*/
                rpmuint32_t * stei = memcpy(alloca(nb), dataStart + off, nb);
                rdl = (rpmuint32_t)-ntohl(stei[2]); /* negative offset */
assert((rpmint32_t)rdl >= 0); /* XXX insurance */
                ril = (rpmuint32_t)(rdl/sizeof(*pe));
                if (hdrchkTags(ril) || hdrchkData(rdl))
                    goto errxit;
                entry->info.tag = (rpmuint32_t) htonl(pe->tag);
            } else {
                ril = il;
                /*@-sizeoftype@*/
                rdl = (rpmuint32_t)(ril * sizeof(struct entryInfo_s));
                /*@=sizeoftype@*/
                entry->info.tag = HEADER_IMAGE;
            }
        }
        entry->info.offset = (rpmint32_t) -rdl; /* negative offset */

...