Skip to content

Commit

Permalink
Don't let src.rpm packages to be file signed
Browse files Browse the repository at this point in the history 
File signatures make no sense in source packages as they don't ship
binaries to be installed on the target system, they're just unpacked
into %_topdir for packaging purposes.

Issue a warning instead when attempting to sign a src.rpm but don't fail
the package signing entirely, header signatures are still relevant, as
is the deletion of existing file signatures from a src.rpm.

Resolves: RhBug:2316785
  • Loading branch information
@dmnks
dmnks committed Nov 26, 2024
1 parent cf8fc5e commit 073ef83
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 8 deletions.
22 changes: 14 additions & 8 deletions sign/rpmgensig.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -702,14 +702,20 @@ static int rpmSign(const char *rpm, int deleting, int flags)
unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);

if (flags & RPMSIGN_FLAG_IMA) {
if (includeFileSignatures(&sigh, &h))
goto exit;
}

if (flags & RPMSIGN_FLAG_FSVERITY) {
if (includeVeritySignatures(fd, &sigh, &h))
goto exit;
/* Add file signatures (if requested and not a source rpm) */
if (!headerIsSource(h)) {
if (flags & RPMSIGN_FLAG_IMA) {
if (includeFileSignatures(&sigh, &h))
goto exit;
}
if (flags & RPMSIGN_FLAG_FSVERITY) {
if (includeVeritySignatures(fd, &sigh, &h))
goto exit;
}
} else if (flags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) {
rpmlog(RPMLOG_WARNING,
_("File signatures not applicable to source packages: %s\n"),
rpm);
}

if (deleting == 2) { /* Nuke IMA + fsverity file signature tags. */
Expand Down
13 changes: 13 additions & 0 deletions tests/rpmsigdig.at
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1845,4 +1845,17 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
],
[ignore])

RPMTEST_CHECK([
cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/
rpmsign --key-id 4344591E1964C5FC --addsign --signfiles --fskpath=/data/keys/privkey.pem /tmp/hello-1.0-1.src.rpm
# Avoid spurious NOKEY warning
rpmsign --delsign /tmp/hello-1.0-1.src.rpm
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
],
[0],
[hello-1.0.tar.gz:(none)
],
[warning: File signatures not applicable to source packages: /tmp/hello-1.0-1.src.rpm
])

RPMTEST_CLEANUP

0 comments on commit 073ef83

Please sign in to comment.