Skip to content

Commit

Permalink
Don't let src.rpm packages to be file signed
Browse files Browse the repository at this point in the history
File signatures make no sense in source packages as they don't ship
binaries to be installed on the target system, they're just fancy
archives unpacked into %_topdir for packaging purposes.

Disable the respective flags when processing a src.rpm and log a debug
message as a heads-up, but don't skip the rest, header signatures are
still relevant for source rpms, as is the deletion of existing file
signatures.
  • Loading branch information
dmnks committed Dec 9, 2024
1 parent 13ae220 commit d85b9e8
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
6 changes: 6 additions & 0 deletions sign/rpmgensig.cc
Original file line number Diff line number Diff line change
Expand Up @@ -698,6 +698,12 @@ static int rpmSign(const char *rpm, int deleting, int flags)
flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3);
}

if (headerIsSource(h)) {
rpmlog(RPMLOG_DEBUG,
_("File signatures not applicable to src.rpm: %s\n"), rpm);
flags &= ~(RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY);
}

origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);

Expand Down
15 changes: 15 additions & 0 deletions tests/rpmsigdig.at
Original file line number Diff line number Diff line change
Expand Up @@ -1908,4 +1908,19 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm
/usr/share/doc/hello-2.0/README:(none)
],
[])

RPMTEST_CHECK([
cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/
rpmsign --debug --key-id 4344591E1964C5FC \
--addsign --signfiles --fskpath=/data/keys/privkey.pem \
/tmp/hello-1.0-1.src.rpm 2>&1 | grep "File signatures not applicable"
# Avoid spurious NOKEY warning
rpmsign --delsign /tmp/hello-1.0-1.src.rpm
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
],
[0],
[D: File signatures not applicable to src.rpm: /tmp/hello-1.0-1.src.rpm
hello-1.0.tar.gz:(none)
],
[])
RPMTEST_CLEANUP

0 comments on commit d85b9e8

Please sign in to comment.