Gensig

sign/rpmgensig.cc

@@ -702,14 +702,20 @@ static int rpmSign(const char *rpm, int deleting, int flags)
     unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
     origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
 
-    if (flags & RPMSIGN_FLAG_IMA) {
-	if (includeFileSignatures(&sigh, &h))
-	    goto exit;
-    }
-
-    if (flags & RPMSIGN_FLAG_FSVERITY) {
-	if (includeVeritySignatures(fd, &sigh, &h))
-	    goto exit;
+    /* Add file signatures (if requested and not a source rpm) */
+    if (!headerIsSource(h)) {
+	if (flags & RPMSIGN_FLAG_IMA) {
+	    if (includeFileSignatures(&sigh, &h))
+		goto exit;
+	}
+	if (flags & RPMSIGN_FLAG_FSVERITY) {
+	    if (includeVeritySignatures(fd, &sigh, &h))
+		goto exit;
+	}
+    } else if (flags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) {
+	rpmlog(RPMLOG_WARNING,
+	       _("File signatures not applicable to source packages: %s\n"),
+	       rpm);
     }
 
     if (deleting == 2) {	/* Nuke IMA + fsverity file signature tags. */

tests/rpmsigdig.at

@@ -1845,4 +1845,17 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
 ],
 [ignore])
 
+RPMTEST_CHECK([
+cp /data/SRPMS/hello-1.0-1.src.rpm /tmp/
+rpmsign --key-id 4344591E1964C5FC --addsign --signfiles --fskpath=/data/keys/privkey.pem /tmp/hello-1.0-1.src.rpm
+# Avoid spurious NOKEY warning
+rpmsign --delsign /tmp/hello-1.0-1.src.rpm
+rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /tmp/hello-1.0-1.src.rpm
+],
+[0],
+[hello-1.0.tar.gz:(none)
+],
+[warning: File signatures not applicable to source packages: /tmp/hello-1.0-1.src.rpm
+])
+
 RPMTEST_CLEANUP