Skip to content

Commit

Permalink
Migrate from short keyid to fingerprint on key update
Browse files Browse the repository at this point in the history 
Remove old entries based on short keyid when key is updated via --import.

Related: rpm-software-management#3360
  • Loading branch information
@pmatilai @ffesti
pmatilai authored and ffesti committed Oct 21, 2024
1 parent f81278f commit 39068c2
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 2 deletions.
10 changes: 8 additions & 2 deletions lib/rpmts.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -622,7 +622,10 @@ static rpmRC rpmtsImportFSKey(rpmtxn txn, Header h, rpmFlags flags, int replace)
if (!rc && replace) {
/* find and delete the old pubkey entry */
char *keyid = headerFormat(h, "%{version}", NULL);
rpmtsDeleteFSKey(txn, keyid, keyfmt);
if (rpmtsDeleteFSKey(txn, keyid, keyfmt) == RPMRC_NOTFOUND) {
/* make sure an old, short keyid version gets removed */
rpmtsDeleteFSKey(txn, keyid+32, keyfmt);
}
free(keyid);

}
Expand Down Expand Up @@ -666,7 +669,10 @@ static rpmRC rpmtsImportDBKey(rpmtxn txn, Header h, rpmFlags flags, int replace)
/* find and delete the old pubkey entry */
unsigned int newinstance = headerGetInstance(h);
char *keyid = headerFormat(h, "%{version}", NULL);
rpmtsDeleteDBKey(txn, keyid, newinstance);
if (rpmtsDeleteDBKey(txn, keyid, newinstance) == RPMRC_NOTFOUND) {
/* make sure an old, short keyid version gets removed */
rpmtsDeleteDBKey(txn, keyid+32, newinstance);
}
free(keyid);
}

Expand Down
Binary file modified tests/data/misc/rpmdb.sqlite
View file
Binary file not shown.
61 changes: 61 additions & 0 deletions tests/rpmsigdig.at
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,67 @@ runroot rpmkeys --list
[])
RPMTEST_CLEANUP

AT_SETUP([rpmkeys migrate from keyid to fingerprint (rpmdb)])
AT_KEYWORDS([rpmkeys rpmdb])
RPMDB_INIT
RPMTEST_CHECK([
runroot rpm -q --dbpath /data/misc/ gpg-pubkey
],
[0],
[gpg-pubkey-1964c5fc-58e63918
],
[])

RPMTEST_CHECK([
runroot rpmkeys --import --dbpath /data/misc/ /data/keys/rpm.org-rsa-2048-add-subkey.asc
],
[0],
[],
[])

RPMTEST_CHECK([
runroot rpm -q --dbpath /data/misc/ gpg-pubkey
],
[0],
[gpg-pubkey-771b18d3d7baa28734333c424344591e1964c5fc-58e63918
],
[])
RPMTEST_CLEANUP

AT_SETUP([rpmkeys migrate from keyid to fingerprint (fs)])
AT_KEYWORDS([rpmkeys rpmdb])
RPMDB_INIT
# root's .rpmmacros used to keep this build prefix independent
echo "%_keyring fs" >> "${RPMTEST}"/root/.rpmmacros

RPMTEST_CHECK([
runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
runroot_other mv /var/lib/rpm/pubkeys/gpg-pubkey-771b18d3d7baa28734333c424344591e1964c5fc-58e63918.key /var/lib/rpm/pubkeys/gpg-pubkey-1964c5fc-58e63918.key
runroot_other ls /var/lib/rpm/pubkeys/
runroot rpmkeys --list
],
[0],
[gpg-pubkey-1964c5fc-58e63918.key
771b18d3d7baa28734333c424344591e1964c5fc rpm.org RSA testkey <[email protected]> public key
],
[])

RPMTEST_CHECK([
runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-add-subkey.asc
],
[0],
[],
[])

RPMTEST_CHECK([
runroot_other ls /var/lib/rpm/pubkeys/
],
[0],
[gpg-pubkey-771b18d3d7baa28734333c424344591e1964c5fc-58e63918.key
],
[])
RPMTEST_CLEANUP

AT_SETUP([rpmkeys key update (fs)])
AT_KEYWORDS([rpmkeys signature])
RPMDB_INIT
Expand Down

0 comments on commit 39068c2

Please sign in to comment.