Skip to content

Commit

Permalink
Don't let src.rpm packages to be file signed
Browse files Browse the repository at this point in the history
File signatures make no sense in source packages as they don't ship
binaries to be installed on the target system, they're just unpacked
into %_topdir for packaging purposes.

Issue a warning instead when attempting to sign a src.rpm but don't fail
the package signing entirely, header signatures are still relevant.

Resolves: RhBug:2316785
  • Loading branch information
dmnks committed Nov 26, 2024
1 parent bd2a4e9 commit 8257b47
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 8 deletions.
22 changes: 14 additions & 8 deletions sign/rpmgensig.cc
Original file line number Diff line number Diff line change
Expand Up @@ -702,14 +702,20 @@ static int rpmSign(const char *rpm, int deleting, int flags)
unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);

if (flags & RPMSIGN_FLAG_IMA) {
if (includeFileSignatures(&sigh, &h))
goto exit;
}

if (flags & RPMSIGN_FLAG_FSVERITY) {
if (includeVeritySignatures(fd, &sigh, &h))
goto exit;
/* Add file signatures (if requested and not a source rpm) */
if (!headerIsSource(h)) {
if (flags & RPMSIGN_FLAG_IMA) {
if (includeFileSignatures(&sigh, &h))
goto exit;
}
if (flags & RPMSIGN_FLAG_FSVERITY) {
if (includeVeritySignatures(fd, &sigh, &h))
goto exit;
}
} else if (flags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) {
rpmlog(RPMLOG_WARNING,
_("File signatures not applicable to source packages: %s\n"),
rpm);
}

if (deleting == 2) { /* Nuke IMA + fsverity file signature tags. */
Expand Down
13 changes: 13 additions & 0 deletions tests/rpmsigdig.at
Original file line number Diff line number Diff line change
Expand Up @@ -1845,4 +1845,17 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
],
[ignore])

RPMTEST_CHECK([
cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/
rpmsign --key-id 4344591E1964C5FC --addsign --signfiles --fskpath=/data/keys/privkey.pem /tmp/hello-1.0-1.src.rpm
# Avoid spurious NOKEY warning
rpmsign --delsign /tmp/hello-1.0-1.src.rpm
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
],
[0],
[hello-1.0.tar.gz:(none)
],
[warning: File signatures not applicable to source packages: /tmp/hello-1.0-1.src.rpm
])

RPMTEST_CLEANUP

0 comments on commit 8257b47

Please sign in to comment.