From 081abf837b55c2303174a17b26400c65211b62e7 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Thu, 21 Nov 2024 14:22:55 +0100 Subject: [PATCH] Don't let src.rpm packages to be file signed (RhBug:2316785) File signatures make no sense in source packages as they don't ship binaries to be installed on the target system, they're just fancy archives unpacked into %_topdir for packaging purposes. Issue a warning instead when attempting to sign a src.rpm but don't fail the package signing entirely, header signatures are still relevant, as is the deletion of existing file signatures from a src.rpm. --- sign/rpmgensig.cc | 22 ++++++++++++++-------- tests/rpmsigdig.at | 13 +++++++++++++ 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/sign/rpmgensig.cc b/sign/rpmgensig.cc index 85a515e3bd..54f81460ba 100644 --- a/sign/rpmgensig.cc +++ b/sign/rpmgensig.cc @@ -702,14 +702,20 @@ static int rpmSign(const char *rpm, int deleting, int flags) unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES); origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES); - if (flags & RPMSIGN_FLAG_IMA) { - if (includeFileSignatures(&sigh, &h)) - goto exit; - } - - if (flags & RPMSIGN_FLAG_FSVERITY) { - if (includeVeritySignatures(fd, &sigh, &h)) - goto exit; + /* Add file signatures (if requested and not a source rpm) */ + if (!headerIsSource(h)) { + if (flags & RPMSIGN_FLAG_IMA) { + if (includeFileSignatures(&sigh, &h)) + goto exit; + } + if (flags & RPMSIGN_FLAG_FSVERITY) { + if (includeVeritySignatures(fd, &sigh, &h)) + goto exit; + } + } else if (flags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) { + rpmlog(RPMLOG_WARNING, + _("File signatures not applicable to source packages: %s\n"), + rpm); } if (deleting == 2) { /* Nuke IMA + fsverity file signature tags. */ diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 63bef22c15..59b75b315a 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -1845,4 +1845,17 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34. ], [ignore]) +RPMTEST_CHECK([ +cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/ +rpmsign --key-id 4344591E1964C5FC --addsign --signfiles --fskpath=/data/keys/privkey.pem /tmp/hello-1.0-1.src.rpm +# Avoid spurious NOKEY warning +rpmsign --delsign /tmp/hello-1.0-1.src.rpm +rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm +], +[0], +[hello-1.0.tar.gz:(none) +], +[warning: File signatures not applicable to source packages: /tmp/hello-1.0-1.src.rpm +]) + RPMTEST_CLEANUP