From 264cd9e0f0db966a50ebc893885930391d75e3d2 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Thu, 21 Nov 2024 14:22:55 +0100 Subject: [PATCH] Don't let src.rpm packages to be file signed (RhBug:2316785) File signatures make no sense in source packages as they don't ship binaries to be installed on the target system, they're just fancy archives unpacked into %_topdir for packaging purposes. Disable the respective flags when processing a src.rpm and log a debug message as a heads-up, but don't skip the rest, header signatures are still relevant for source rpms, as is the deletion of existing file signatures. --- sign/rpmgensig.cc | 6 ++++++ tests/rpmsigdig.at | 15 +++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/sign/rpmgensig.cc b/sign/rpmgensig.cc index d10f22555d..5151b74d02 100644 --- a/sign/rpmgensig.cc +++ b/sign/rpmgensig.cc @@ -698,6 +698,12 @@ static int rpmSign(const char *rpm, int deleting, int flags) flags &= ~(RPMSIGN_FLAG_RPMV4|RPMSIGN_FLAG_RPMV3); } + if (headerIsSource(h)) { + rpmlog(RPMLOG_DEBUG, + _("File signatures not applicable to src.rpm: %s\n"), rpm); + flags &= ~(RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY); + } + origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES); unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES); diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index 5a13c41388..c07c712b82 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -1908,4 +1908,19 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm /usr/share/doc/hello-2.0/README:(none) ], []) + +RPMTEST_CHECK([ +cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/ +rpmsign --debug --key-id 4344591E1964C5FC \ + --addsign --signfiles --fskpath=/data/keys/privkey.pem \ + /tmp/hello-1.0-1.src.rpm 2>&1 | grep "File signatures not applicable" +# Avoid spurious NOKEY warning +rpmsign --delsign /tmp/hello-1.0-1.src.rpm +rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm +], +[0], +[D: File signatures not applicable to src.rpm: /tmp/hello-1.0-1.src.rpm +hello-1.0.tar.gz:(none) +], +[]) RPMTEST_CLEANUP