Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix md5sums generation for deb packages #799

Merged
merged 1 commit into from Nov 4, 2014

Conversation

@rfc1459
Copy link
Contributor

rfc1459 commented Nov 4, 2014

Since version 1.17.2, dpkg includes a --verify operation mode which is roughly comparable to what rpm --verify does. Among the checks, it verifies MD5 sums of installed files using /var/lib/dpkg/info/<package>.md5sums like debsums used to do.

Unfortunately, dpkg --verify insists on having the md5sums control file formatted exactly as it would be produced by a run of md5sum (hash, two spaces, file path), if a single md5sums file is badly formatted it will die with a "missing value separator" error.

This PR addresses this (debatable) behavior by adding the missing space. It should be noted that this is probably a dpkg issue (md5sum, debsums and lintian itself are more forgiving), but the aforementioned version is already shipping on recent Ubuntu versions and it would be troublesome to get it fixed.

The md5sums control file must be formatted exactly as it would be
produced by a run of md5sum (MD5, two spaces, file path). Failing to do
so breaks dpkg --verify.
@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

Oh my, computers! So terrible sometimes.

Thank you for taking the time to identify the problem and solve it. I'll try to write some tests to verify this kind of thing stays working in the future, if nobody else does first :)

@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

% dpkg -V fizz
dpkg: error: control file 'md5sums' missing value separator

Confirmed.

@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

It'd be useful to know which Debian/Ubuntu versions this affects, if not all of them.

@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

amusingly, lintian doesn't complain

@rfc1459

This comment has been minimized.

Copy link
Contributor Author

rfc1459 commented Nov 4, 2014

As far as I know, all currently supported versions of Ubuntu are affected except the old LTS (12.04) and 10.04 (which is past EOL for desktop-related packages and slated for complete EOL on April 2015). I did not check other EOL'd releases since nobody should be running them anyway.

Debian wheezy is not affected since dpkg 1.17.2 (the version which introduced the --verify switch) was released later, but Jessie (which is approaching the pre-release freeze) and unstable are affected.

As I mentioned, all usual tools (even lintian, as you found out) are more forgiving when handling the md5sums control file, it's just dpkg which insists on following the spec down to the number of spaces.

@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

Here's a way to patch all the installed md5sum files:

sudo sed -i -re 's/([A-Fa-f0-9]{32}) +([^ ].+)$/\1  \2/' /var/lib/dpkg/info/*.md5sums

Result:

% dpkg -V fizz
dpkg: error: control file 'md5sums' missing value separator
% sudo sed -i -re 's/([A-Fa-f0-9]{32}) +([^ ].+)$/\1  \2/' /var/lib/dpkg/info/*.md5sums
% dpkg -V fizz
% echo $?
0
@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

I'm trying to figure out a good way to test this, but one of dpkg's worst features is requiring root to run, so it'll be difficult to automate a test for :(

jordansissel added a commit that referenced this pull request Nov 4, 2014
Fix md5sums generation for deb packages
@jordansissel jordansissel merged commit 8040058 into jordansissel:master Nov 4, 2014
@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

Merging since this is an important fix. I'll figure out testing later.

I have manually tested and verified that dpkg -V is successful after building a package with this patch.

@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 4, 2014

fpm 1.3.1 published with this fix.

@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 5, 2014

1.3.1 pulled, 1.3.2 published.

1.3.2 brings a fix such that fpm -s deb -t deb works correctly with respect to the new Changelog support added in 1.3.0 via #784

@jordansissel

This comment has been minimized.

Copy link
Owner

jordansissel commented Nov 5, 2014

prof-milki pushed a commit to prof-milki/xpm that referenced this pull request Dec 18, 2014
Fix md5sums generation for deb packages
prof-milki pushed a commit to prof-milki/xpm that referenced this pull request Dec 27, 2014
Fix md5sums generation for deb packages
jordansissel added a commit that referenced this pull request Apr 24, 2015
Fix md5sums generation for deb packages
jordansissel added a commit that referenced this pull request Jun 20, 2016
Fix md5sums generation for deb packages
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.