Add a test for deleting a misplaced IMA signature

RH signing server apparently does IMA signing after the normal signing has already been done, and in doing so places the IMA signatures outside the immutable region. This causes us to do all manner of wrong things, corrupting the package on --delsign and whatnot. rpmsign of course wont create such a signature by itself, so we need a pre-built "crafted" package for the purpose with a specially built rpmsign library: move the includeFileSignatures() call in rpmSign() in sign/rpmgensig.cc right after the headerReload() call, and filesign the vanilla tests/data/RPMS/hello-2.0-1.x86_64.rpm package with the --fskpath=/data/keys/privkey.pem like in the ima test above this.
rpm-software-management · Nov 29, 2024 · 16278c3 · 16278c3
1 parent 71e88ec
commit 16278c3
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/tests/data/RPMS/hello-2.0-1.x86_64-badima.rpm b/tests/data/RPMS/hello-2.0-1.x86_64-badima.rpm
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
@@ -1842,5 +1842,25 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
 /usr/share/example2:030204a598255400473045022100c10943795bff5d9c0db53dd4f8e4b845615fd08a2be295c30a80f5bdb4e6a41302203038840cc6abaab92acb56cb3e3ce520b17f22ff7444a8d5d0f703a44d5307a3
 ],
 [ignore])
+RPMTEST_CLEANUP
+
+
+AT_SETUP([--delsign with misplaced ima signature])
+AT_KEYWORDS([rpmsign file signature])
+AT_XFAIL_IF([test $RPM_XFAIL -ne 0])
+RPMTEST_CHECK([
+cp /data/RPMS/hello-2.0-1.x86_64-badima.rpm .
+rpmsign --delsign hello-2.0-1.x86_64-badima.rpm
+],
+[0],
+[],
+[])
 
+RPMTEST_CHECK([
+rpm -qp hello-2.0-1.x86_64-badima.rpm
+],
+[0],
+[hello-2.0-1.x86_64
+],
+[])
 RPMTEST_CLEANUP