From 39068c228d9d190d8886c2a8b114f0494bc60d80 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Thu, 17 Oct 2024 15:11:04 +0300 Subject: [PATCH] Migrate from short keyid to fingerprint on key update Remove old entries based on short keyid when key is updated via --import. Related: #3360 --- lib/rpmts.cc | 10 ++++-- tests/data/misc/rpmdb.sqlite | Bin 225280 -> 229376 bytes tests/rpmsigdig.at | 61 +++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 2 deletions(-) diff --git a/lib/rpmts.cc b/lib/rpmts.cc index b6a7e38708..5e64d7872f 100644 --- a/lib/rpmts.cc +++ b/lib/rpmts.cc @@ -622,7 +622,10 @@ static rpmRC rpmtsImportFSKey(rpmtxn txn, Header h, rpmFlags flags, int replace) if (!rc && replace) { /* find and delete the old pubkey entry */ char *keyid = headerFormat(h, "%{version}", NULL); - rpmtsDeleteFSKey(txn, keyid, keyfmt); + if (rpmtsDeleteFSKey(txn, keyid, keyfmt) == RPMRC_NOTFOUND) { + /* make sure an old, short keyid version gets removed */ + rpmtsDeleteFSKey(txn, keyid+32, keyfmt); + } free(keyid); } @@ -666,7 +669,10 @@ static rpmRC rpmtsImportDBKey(rpmtxn txn, Header h, rpmFlags flags, int replace) /* find and delete the old pubkey entry */ unsigned int newinstance = headerGetInstance(h); char *keyid = headerFormat(h, "%{version}", NULL); - rpmtsDeleteDBKey(txn, keyid, newinstance); + if (rpmtsDeleteDBKey(txn, keyid, newinstance) == RPMRC_NOTFOUND) { + /* make sure an old, short keyid version gets removed */ + rpmtsDeleteDBKey(txn, keyid+32, newinstance); + } free(keyid); } diff --git a/tests/data/misc/rpmdb.sqlite b/tests/data/misc/rpmdb.sqlite index 9129728413018f114ef1840e0390bece7d510d83..9d8abd763bbb8e86ba593d6879d31b88ad471d86 100644 GIT binary patch delta 5088 zcmb_gORVEo8Ft3GGxr*1e5X`}QB`!SE;>UxjUB(Co#Hrl66a~>5gIiGug4plwJr#-m{FxWyD0~uN7=0Z=KR~aduU|U7 z_Z##y3P&G~Y&%2e{BWwf)&jnG^{Iyt7<~&u|BJqbUIVP(qUb63;m94FOV>(gFhIHt zq3@yZpqByZ*XVt_aP*PLc6qAzy2f74T8!a~?|kQBKzjp1-vBfI8_-@xcTxC}$epB1 zS6_Sxdte9US8-iO|A<~je~dndj?r(RJQ(pP8a}uaWg@Hj&*Cg)(Kt!l7)Dc=&7Om! zU)YX5db9KPP58kR2O~&=BqMo$~Mly$L>20M(nKJ-MSguiZ<72IO`Alj}Lrj zPp$BK6Kgzit<#IWC;V~y>zken=irN%-zGrBH3)qdWT}RJAN>|OK!1k*3w;wr{53Q@ z12Z2V@6KuX(RI(QV7Cvr_e6T)fO{+U<6nWB>(TcHc~^{4=fb(Ii*H_k3DrAmzXT8O3WUB7#$Ewq zUPV8*14r+VY`^f~t^>bx?RSwgyMQr)&{xqPp%cKcQR+M#eLAv@F*cFFblo&`tW6oL z!5BJiCP*FU3!J8#@Y9h` z?QKO~`}+24HzF^+cHV}{Jy9(%^z^?k6z=8p%R#^f#vU+a-{;3}T3o;Tpy}>Wv#PDhy;G&)f3QV;ix^&>}SH^70Cl{ki#b}td#Bkpj`EGSSU7C&A zATYAEax04kaRL_iJ?cx5cnW*EGyPwA~$0d}GR3?V4I5%XL9d^JLGaA!Qo0W7b z#}rE=+>+WNh=BcG=2#T^=_)H1pqF?H{sjV_0tESGwTWOyVS z$R$*bm?uxjztu}ueKBCHo`T?tRam4GiX!Sui*4=? zt9`PY=aWLxSM9ReR)&GkC&eVsr?IRi2YMx>W=7v|YQ17In^Aj+L8yL9bDeTVUN&pV zg^|XlIw5=IftxG_N|jd}KC9G(MyW}q`K-8Qy8u1>VgeLXZ_DC!6AxtOc6p z@O(~ClPOhlt#qR*#S8Pfzzg2~NXo|w{jl8O8l0@;s)>}5*ON;d5k><#FvR3QC>epH zR$SJsblncG4kp&1O;NHcccz7fmFsjwe&C2)M(qn_$=tV=QZ;arNHSGV4oeBMg(Zl7 zUQ5-5rbblQVWm@YgfdmqZ`#2tH;FjU{-c@Ym$rm>3LC`hK+Wa)<{0C)cS0RV?AM-X-diniS=hib1WoB zX`AVH+G=_-%(!vc5j@J5X1rfWjq-J0#0PBY$WD0uTk%Ig;;(m6qZY*Tac?XPE%9M z&XaPcnkvtQge`Ro+`>1QM83c1g>um?#Anv9iYHi^Qf8Q=*4m1m=_=C-jimbVSVQ${ z_MGUlT%}I-z2sbvSKAzsu8#&KquU6UjfxkDUZcs+N;*f$d9ubBluX(2n1SRxC6yUB zm~pn7HOI!dv79+JJsKy}Hs10lOemQy8EaJ%cD!x2oqQ)%!i5Am)@(|%3og}1@>nSy zv?@N=r^Yx_*XH(k=+vkwSf6fEwwIgrB=agOrg<^T^RC4A)^9l>9RxfgIIf~#YAe&} zxpR9Nq!c^eqy`=}h>hdnJVi`W3$@v%E23{#NwO#MzA2=bW;bRm99bI75n_K)UMY&kVeDfW;>MO@4V zYH!TTBifP1_GoI~w` zc%C5CeKS@ISSBNrVm28v)UqHcS|Wov4qrE$RmB*kwM>~Rv~u{q>}Tw`yeM=D6R8y& ziSEcN5=owMrk&D^E)}|JNy1}UMxne$l_vU%z+@fe$tMx$_8t{F*fc>DYtaOUv(W8L zQ+TkoyKC3vT-XD9;ML|8?1Q26t0O6{73y(m<4kKaV5op+9BrH4v4Lgj4g-4)a zhmo-G2sG?45*8kTh8;%2!XwbI!$??o1R8c22@5|#!=7x>-V|BOi&#v3g7&PwVYGL- zFZBjSyVn_vC#xIa02;Q^uiI*Ouh@mF3daTLjw%dv)*E=%xs`x^OaLysRQi5Y2!6ztmarOlqvN@_`$l%bSLubj5RX4#w zVg&;oss#Lp4512&AjD&Iyx+O!d_k}gJiF(cjuw%Fi|$bAtMO#dwOrm7jNlU{Zg&?5 z&9Kw7Pzb(IkSq}whhCp37p#yIJt54`wn$hrc&}@*nRNQ=Hqzgv5-&)JZxE)-0cj?9 z<=z`I(p!XC*(0Uno8PP2v!JK)uK&~@|LUZ;S6+*3DtN$@qqI~5 o#xubqW{fXk_w-2B;px0m$-J`m#|`E9;`nj9wc{lIk-l5|0Z5Tu>;M1& diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 4d376a0d4e..ae68cef50e 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -100,6 +100,67 @@ runroot rpmkeys --list []) RPMTEST_CLEANUP +AT_SETUP([rpmkeys migrate from keyid to fingerprint (rpmdb)]) +AT_KEYWORDS([rpmkeys rpmdb]) +RPMDB_INIT +RPMTEST_CHECK([ +runroot rpm -q --dbpath /data/misc/ gpg-pubkey +], +[0], +[gpg-pubkey-1964c5fc-58e63918 +], +[]) + +RPMTEST_CHECK([ +runroot rpmkeys --import --dbpath /data/misc/ /data/keys/rpm.org-rsa-2048-add-subkey.asc +], +[0], +[], +[]) + +RPMTEST_CHECK([ +runroot rpm -q --dbpath /data/misc/ gpg-pubkey +], +[0], +[gpg-pubkey-771b18d3d7baa28734333c424344591e1964c5fc-58e63918 +], +[]) +RPMTEST_CLEANUP + +AT_SETUP([rpmkeys migrate from keyid to fingerprint (fs)]) +AT_KEYWORDS([rpmkeys rpmdb]) +RPMDB_INIT +# root's .rpmmacros used to keep this build prefix independent +echo "%_keyring fs" >> "${RPMTEST}"/root/.rpmmacros + +RPMTEST_CHECK([ +runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub +runroot_other mv /var/lib/rpm/pubkeys/gpg-pubkey-771b18d3d7baa28734333c424344591e1964c5fc-58e63918.key /var/lib/rpm/pubkeys/gpg-pubkey-1964c5fc-58e63918.key +runroot_other ls /var/lib/rpm/pubkeys/ +runroot rpmkeys --list +], +[0], +[gpg-pubkey-1964c5fc-58e63918.key +771b18d3d7baa28734333c424344591e1964c5fc rpm.org RSA testkey public key +], +[]) + +RPMTEST_CHECK([ +runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-add-subkey.asc +], +[0], +[], +[]) + +RPMTEST_CHECK([ +runroot_other ls /var/lib/rpm/pubkeys/ +], +[0], +[gpg-pubkey-771b18d3d7baa28734333c424344591e1964c5fc-58e63918.key +], +[]) +RPMTEST_CLEANUP + AT_SETUP([rpmkeys key update (fs)]) AT_KEYWORDS([rpmkeys signature]) RPMDB_INIT