From ddd6e5394af6c9490c4243ecf2f30a67600d96c4 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Thu, 21 Nov 2024 14:22:55 +0100 Subject: [PATCH] Don't let src.rpm packages to be file signed File signatures make no sense in source packages as they don't ship binaries to be installed on the target system, they're just fancy archives unpacked into %_topdir for packaging purposes. Disable the respective flags when processing a src.rpm and log a debug message as a heads-up, but don't skip the rest, header signatures are still relevant for source rpms, as is the deletion of existing file signatures. --- sign/rpmgensig.cc | 6 ++++++ tests/rpmsigdig.at | 15 +++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/sign/rpmgensig.cc b/sign/rpmgensig.cc index d10f22555d..5151b74d02 100644 --- a/sign/rpmgensig.cc +++ b/sign/rpmgensig.cc @@ -698,6 +698,12 @@ static int rpmSign(const char *rpm, int deleting, int flags) flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3); } + if (headerIsSource(h)) { + rpmlog(RPMLOG_DEBUG, + _("File signatures not applicable to src.rpm: %s\n"), rpm); + flags &= ~(RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY); + } + origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES); unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES); diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 5a13c41388..c07c712b82 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -1908,4 +1908,19 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm /usr/share/doc/hello-2.0/README:(none) ], []) + +RPMTEST_CHECK([ +cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/ +rpmsign --debug --key-id 4344591E1964C5FC \ + --addsign --signfiles --fskpath=/data/keys/privkey.pem \ + /tmp/hello-1.0-1.src.rpm 2>&1 | grep "File signatures not applicable" +# Avoid spurious NOKEY warning +rpmsign --delsign /tmp/hello-1.0-1.src.rpm +rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm +], +[0], +[D: File signatures not applicable to src.rpm: /tmp/hello-1.0-1.src.rpm +hello-1.0.tar.gz:(none) +], +[]) RPMTEST_CLEANUP