On Mon, Oct 31, 2016 at 12:01 PM Panu Matilainen <pmatilai(a)laiskiainen.org>
On 10/31/2016 05:17 PM, Florian Weimer wrote:
> On 10/21/2016 05:34 PM, Kevin Fenzi wrote:
>> On Thu, 20 Oct 2016 16:42:02 +0000
>> Christopher <ctubbsii(a)fedoraproject.org> wrote:
>>> What is the "Payload Hash" in koji?
>>> It looks like an MD5, but of what? It's not the rpm... I've
>>> Should koji be providing verification hashes for manual downloads of
>>> built RPMs? I think this would be useful for testing.
>> I'm not sure either. I think it's the internal payload before adding
>> the signatures, etc?
> It's the RPM_SIGTAG_MD5 RPM header:
> SIGNATURE:SIGTAG_HEADERSIGNATURES (BIN):
> SIGNATURE:SIGTAG_SHA1HEADER (STRING):
> SIGNATURE:SIGTAG_SIZE (INT32): 103674
> SIGNATURE:SIGTAG_MD5 (BIN):
> SIGNATURE:SIGTAG_PAYLOADSIZE (INT32): 396760
> I'm not completely sure over which part of the RPM it is computed. I
> suspect over the non-signature header followed by the decompressed
All RPM v3 digests (so yes, RPM_SIGTAG_MD5) and signatures are on the
(non-signature) header + compressed payload. Only the individual file
digests are on uncompressed data.
- Panu -
Thanks. This was explained on https://pagure.io/koji/issue/190
instructions on how to verify.