Home → Problems →

RPMs no longer install

• Edit

George Baltz

Aug 19, 2021 @ 02:20 PM

Just tried to to update to latest beta(3095) on openSUSE Leap 15.3, but I've run into the problems others have seen on other distributions:

# rpm -Uvh RPMs/moneydance_linux_amd64.3095.rpm
error: RPMs/moneydance_linux_amd64.3095.rpm: invalid signature tag Archivesize (1046)
error: RPMs/moneydance_linux_amd64.3095.rpm cannot be installed

It seems to stem from several security patches applied to rpm itself - from the changelog;
- backport header check security fixes from upstream [CVE-2021-3421]
  [CVE-2021-20271] [CVE-2021-20266]
  [bsc#1183543] [bsc#1183545]
  new patch: headerchk3.diff

The Moneydance RPM headers will have to be updated, or the the RPMs won't be usable anywhere.

GeoB
Moneydance user since 2003

1. 1 Posted by SeanS on Aug 22, 2021 @ 04:20 AM

   

   This was first reported in April. Is there an estimate when this will be fixed? For anyone running Fedora 34 there is apparently no workaround.

   • Edit

2. 2 Posted by Tom Smith on Aug 22, 2021 @ 12:39 PM

   

   For what it's worth...
   RPMs still install on Rocky Linux 8.4 and CentOS 8.
   But I run Fedora 34 on all my live systems. The RPMs fail to install or update.
   The "workaround" is to use the installation script. But one needs to verify the md5sum of the script first. Kinda clunky and sorta safe (maybe).
   The RPM packaging really should be fixed.
   The changes made in Fedora 34 are very likely to migrate to the other Linux flavors soon.

   • Edit

3. Support Staff 3 Posted by Ethan on Aug 22, 2021 @ 04:01 PM

   

   Hello,

   Unfortunately we've had difficulty with our current build systems to get the RPM to work for the all versions of Linux that use those. If the RPM isn't working for you, we recommend the install script, or the .tar.gz file, which you can download and run anywhere without an installer. Both can be found at: https://infinitekind.com/stabledl/current/

   If needed, the md5sums can also be found at that link. I'd add however that you're downloading directly from our site through https, so you shouldn't need to verify the checksums. Or rather, if you don't trust that downloads from our site haven't been compromised, there's no reason to believe that the md5sums wouldn't be compromised as well.

   Ethan
   Infinite Kind Support

   • Edit

4. System closed this discussion on Nov 21, 2021 @ 04:10 PM.

5. SeanS re-opened this discussion on May 01, 2022 @ 09:55 PM

6. 4 Posted by SeanS on May 01, 2022 @ 09:55 PM

   

   For those inclined to build their own RPM, here's a spec file I've used successfully on Fedora 34.

   • Moneydance.spec.zip 3.19 KB
   • Edit

7. System closed this discussion on Jul 31, 2022 @ 10:00 PM.