From dc1695da7edb013650439866cef9e2ac043663f9 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Fri, 29 Nov 2024 12:59:02 +0200
Subject: [PATCH] Add tests for IMA signature deletion too

Normally IMA signatures should only be deleted with an explicit
rpmsign --delfilesign, but in case the are misplaced outside the
immutable region they get thrown out by rpmsign. This is expected
and desired behavior, it's simply the wrong place to place to put
them and not something we want to encourage in any way.
---
 tests/rpmsigdig.at | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index 603f4a8aa6..e9e69ecbe5 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -1842,6 +1842,28 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
 /usr/share/example2:030204a598255400473045022100c10943795bff5d9c0db53dd4f8e4b845615fd08a2be295c30a80f5bdb4e6a41302203038840cc6abaab92acb56cb3e3ce520b17f22ff7444a8d5d0f703a44d5307a3
 ],
 [ignore])
+
+RPMTEST_CHECK([[
+cp /data/RPMS/imatest-1.0-1.fc34.noarch.rpm .
+rpmsign --delsign imatest-1.0-1.fc34.noarch.rpm
+rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" imatest-1.0-1.fc34.noarch.rpm
+]],
+[0],
+[/usr/share/example1:030204a598255400483046022100e5117bdafa73baaeb1f1dc46ecaa46981a62d417745a33532572b63dc6d95d16022100c789107ac5b91e2d915e1df3c7b78414f6b3f50899d44c1de381d0e938dfc82b
+/usr/share/example2:030204a598255400473045022100c10943795bff5d9c0db53dd4f8e4b845615fd08a2be295c30a80f5bdb4e6a41302203038840cc6abaab92acb56cb3e3ce520b17f22ff7444a8d5d0f703a44d5307a3
+],
+[])
+
+RPMTEST_CHECK([[
+cp /data/RPMS/imatest-1.0-1.fc34.noarch.rpm .
+rpmsign --delfilesign imatest-1.0-1.fc34.noarch.rpm
+rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" imatest-1.0-1.fc34.noarch.rpm
+]],
+[0],
+[/usr/share/example1:(none)
+/usr/share/example2:(none)
+],
+[])
 RPMTEST_CLEANUP
 
 
@@ -1862,4 +1884,18 @@ rpm -qp hello-2.0-1.x86_64-badima.rpm
 [hello-2.0-1.x86_64
 ],
 [])
+
+# NORMALLY --delsign shouldn't delete file signatures, but when they are
+# misplaced outside the immutable region, this is EXPECTED behavior.
+RPMTEST_CHECK([[
+rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm
+]],
+[0],
+[/usr/bin/hello:(none)
+/usr/share/doc/hello-2.0:(none)
+/usr/share/doc/hello-2.0/COPYING:(none)
+/usr/share/doc/hello-2.0/FAQ:(none)
+/usr/share/doc/hello-2.0/README:(none)
+],
+[])
 RPMTEST_CLEANUP