diff --git a/sign/rpmgensig.cc b/sign/rpmgensig.cc index d10f22555d..5151b74d02 100644 --- a/sign/rpmgensig.cc +++ b/sign/rpmgensig.cc @@ -698,6 +698,12 @@ static int rpmSign(const char *rpm, int deleting, int flags) flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3); } + if (headerIsSource(h)) { + rpmlog(RPMLOG_DEBUG, + _("File signatures not applicable to src.rpm: %s\n"), rpm); + flags &= ~(RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY); + } + origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES); unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES); diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 5a13c41388..c07c712b82 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -1908,4 +1908,19 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm /usr/share/doc/hello-2.0/README:(none) ], []) + +RPMTEST_CHECK([ +cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/ +rpmsign --debug --key-id 4344591E1964C5FC \ + --addsign --signfiles --fskpath=/data/keys/privkey.pem \ + /tmp/hello-1.0-1.src.rpm 2>&1 | grep "File signatures not applicable" +# Avoid spurious NOKEY warning +rpmsign --delsign /tmp/hello-1.0-1.src.rpm +rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm +], +[0], +[D: File signatures not applicable to src.rpm: /tmp/hello-1.0-1.src.rpm +hello-1.0.tar.gz:(none) +], +[]) RPMTEST_CLEANUP