Skip to content

Commit

Permalink
Don't let src.rpm packages to be file signed (RhBug:2316785)
Browse files Browse the repository at this point in the history
File signatures make no sense in source packages as they don't ship
binaries to be installed on the target system, they're just fancy
archives unpacked into %_topdir for packaging purposes.

Issue a warning instead when attempting to sign a src.rpm but don't fail
the package signing entirely, header signatures are still relevant, as
is the deletion of existing file signatures from a src.rpm.
  • Loading branch information
dmnks committed Nov 26, 2024
1 parent 52bc9fc commit 5112f52
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 8 deletions.
22 changes: 14 additions & 8 deletions sign/rpmgensig.cc
Original file line number Diff line number Diff line change
Expand Up @@ -702,14 +702,20 @@ static int rpmSign(const char *rpm, int deleting, int flags)
unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);

if (flags & RPMSIGN_FLAG_IMA) {
if (includeFileSignatures(&sigh, &h))
goto exit;
}

if (flags & RPMSIGN_FLAG_FSVERITY) {
if (includeVeritySignatures(fd, &sigh, &h))
goto exit;
/* Add file signatures (if requested and not a source rpm) */
if (!headerIsSource(h)) {
if (flags & RPMSIGN_FLAG_IMA) {
if (includeFileSignatures(&sigh, &h))
goto exit;
}
if (flags & RPMSIGN_FLAG_FSVERITY) {
if (includeVeritySignatures(fd, &sigh, &h))
goto exit;
}
} else if (flags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) {
rpmlog(RPMLOG_WARNING,
_("File signatures not applicable to source packages: %s\n"),
rpm);
}

if (deleting == 2) { /* Nuke IMA + fsverity file signature tags. */
Expand Down
13 changes: 13 additions & 0 deletions tests/rpmsigdig.at
Original file line number Diff line number Diff line change
Expand Up @@ -1845,4 +1845,17 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
],
[ignore])

RPMTEST_CHECK([
cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/
rpmsign --key-id 4344591E1964C5FC --addsign --signfiles --fskpath=/data/keys/privkey.pem /tmp/hello-1.0-1.src.rpm
# Avoid spurious NOKEY warning
rpmsign --delsign /tmp/hello-1.0-1.src.rpm
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
],
[0],
[hello-1.0.tar.gz:(none)
],
[warning: File signatures not applicable to source packages: /tmp/hello-1.0-1.src.rpm
])

RPMTEST_CLEANUP

0 comments on commit 5112f52

Please sign in to comment.