Don't let src.rpm packages to be file signed (RhBug:2316785)

File signatures make no sense in source packages as they don't ship binaries to be installed on the target system, they're just fancy archives unpacked into %_topdir for packaging purposes. Skip file signature generation when processing a src.rpm and log a debug message but don't fail the signing procedure itself, header signatures are still relevant for source rpms, as is the deletion of existing file signatures.
dmnks · Dec 4, 2024 · e84119a · e84119a
1 parent bfc7265
commit e84119a
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/sign/rpmgensig.cc b/sign/rpmgensig.cc
@@ -699,6 +699,15 @@ static int rpmSign(const char *rpm, int deleting, int flags)
 	    flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3);
     }
 
+    /* Don't file sign a src.rpm */
+    if (headerIsSource(h) &&
+	(flags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY))) {
+	rpmlog(RPMLOG_DEBUG,
+	       _("File signatures not applicable to "
+	         "source packages, skipping: %s\n"), rpm);
+	flags &= ~(RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY);
+    }
+
     unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
     origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
 

diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
@@ -1845,4 +1845,19 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
 ],
 [ignore])
 
+RPMTEST_CHECK([
+cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/
+rpmsign --debug --key-id 4344591E1964C5FC \
+	--addsign --signfiles --fskpath=/data/keys/privkey.pem \
+	/tmp/hello-1.0-1.src.rpm 2>&1 | grep "File signatures not applicable"
+# Avoid spurious NOKEY warning
+rpmsign --delsign /tmp/hello-1.0-1.src.rpm
+rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
+],
+[0],
+[D: File signatures not applicable to source packages, skipping: /tmp/hello-1.0-1.src.rpm
+hello-1.0.tar.gz:(none)
+],
+[])
+
 RPMTEST_CLEANUP