Skip to content

Commit

Permalink
Don't let src.rpm packages to be file signed (RhBug:2316785)
Browse files Browse the repository at this point in the history
File signatures make no sense in source packages as they don't ship
binaries to be installed on the target system, they're just fancy
archives unpacked into %_topdir for packaging purposes.

Disable the respective flags when processing a src.rpm and log a debug
message as a heads-up, but don't skip the rest, header signatures are
still relevant for source rpms, as is the deletion of existing file
signatures.
  • Loading branch information
dmnks committed Dec 4, 2024
1 parent 9484833 commit e08850f
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 4 deletions.
8 changes: 4 additions & 4 deletions lib/fsm.cc
Original file line number Diff line number Diff line change
Expand Up @@ -877,10 +877,10 @@ static rpmfi fsmIterFini(rpmfi fi, struct diriter_s *di)

static rpmPlugins fsmPlugins(rpmts ts, rpmte te)
{
if (headerIsSource(rpmteHeader(te)))
return NULL;
else
return rpmtsPlugins(ts);
Header h = rpmteHeader(te);
int isSource = headerIsSource(h);
headerFree(h);
return (isSource ? NULL : rpmtsPlugins(ts));
}

int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
Expand Down
6 changes: 6 additions & 0 deletions sign/rpmgensig.cc
Original file line number Diff line number Diff line change
Expand Up @@ -698,6 +698,12 @@ static int rpmSign(const char *rpm, int deleting, int flags)
flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3);
}

if (headerIsSource(h)) {
rpmlog(RPMLOG_DEBUG,
_("File signatures not applicable to src.rpm: %s\n"), rpm);
flags &= ~(RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY);
}

origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);

Expand Down
15 changes: 15 additions & 0 deletions tests/rpmsigdig.at
Original file line number Diff line number Diff line change
Expand Up @@ -1908,4 +1908,19 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm
/usr/share/doc/hello-2.0/README:(none)
],
[])

RPMTEST_CHECK([
cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/
rpmsign --debug --key-id 4344591E1964C5FC \
--addsign --signfiles --fskpath=/data/keys/privkey.pem \
/tmp/hello-1.0-1.src.rpm 2>&1 | grep "File signatures not applicable"
# Avoid spurious NOKEY warning
rpmsign --delsign /tmp/hello-1.0-1.src.rpm
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
],
[0],
[D: File signatures not applicable to src.rpm: /tmp/hello-1.0-1.src.rpm
hello-1.0.tar.gz:(none)
],
[])
RPMTEST_CLEANUP

0 comments on commit e08850f

Please sign in to comment.