From e53a2d589ed1203da77f3efc43c4b93998f57b11 Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Tue, 10 Dec 2024 13:53:43 +0100
Subject: [PATCH] Check not configured keystore backends for keys

Give an warning if they contain public keys. This allows the user to
detect misconfigurations or missing conversion from one backend to
another.
---
 lib/keystore.cc | 21 +++++++++++++++++++++
 lib/keystore.hh |  2 ++
 lib/rpmts.cc    |  1 +
 3 files changed, 24 insertions(+)

diff --git a/lib/keystore.cc b/lib/keystore.cc
index 382a028e83..bca10abfe2 100644
--- a/lib/keystore.cc
+++ b/lib/keystore.cc
@@ -96,6 +96,27 @@ static rpmRC write_key_to_disk(rpmPubkey key, string & dir, string & filename, i
     return rc;
 }
 
+rpmRC rpm::check_backends(rpmtxn txn, rpmts ts)
+{
+    rpmRC rc = RPMRC_OK;
+
+    keystore_fs ks_fs = {};
+    keystore_rpmdb ks_rpmdb = {};
+    keystore_openpgp_cert_d ks_opengpg = {};
+
+    for (keystore *ks : std::vector<keystore*> {&ks_fs, &ks_rpmdb, &ks_opengpg}) {
+	if (ks->get_name() == ts->keystore->get_name())
+	    continue;
+	rpmKeyring keyring = rpmKeyringNew();
+	ks->load_keys(txn, keyring);
+	if (!rpmKeyringIsEmpty(keyring)) {
+	    rpmlog(RPMLOG_WARNING, _("there are public keys in the %s backend which is not the one configured (%s); use rpmkeys --rebuild to integrate or discard them\n"), ks->get_name().c_str(), ts->keystore->get_name().c_str());
+	    rc = RPMRC_FAIL;
+	}
+	rpmKeyringFree(keyring);
+    }
+    return rc;
+}
 
 /*****************************************************************************/
 
diff --git a/lib/keystore.hh b/lib/keystore.hh
index 2b2161465f..e53ec91ff0 100644
--- a/lib/keystore.hh
+++ b/lib/keystore.hh
@@ -8,6 +8,8 @@
 
 namespace rpm {
 
+rpmRC check_backends(rpmtxn txn, rpmts ts);
+
 class keystore {
 public:
     virtual std::string get_name() { return "None"; };
diff --git a/lib/rpmts.cc b/lib/rpmts.cc
index 649c10cb46..701fca131b 100644
--- a/lib/rpmts.cc
+++ b/lib/rpmts.cc
@@ -299,6 +299,7 @@ static void loadKeyring(rpmts ts)
 	rpmtxn txn = rpmtxnBegin(ts, RPMTXN_READ);
 	if (txn) {
 	    ts->keystore->load_keys(txn, ts->keyring);
+	    check_backends(txn, ts);
 	    rpmtxnEnd(txn);
 	}
     }