dcavalca / rpms / rpm

Forked from rpms/rpm 2 years ago
Clone

Blame SOURCES/0030-Add-delfilesign-flag-to-delete-IMA-and-fsverity-file.patch

45afda
From 46db4f6827840e828f42424454410b930895d9a7 Mon Sep 17 00:00:00 2001
45afda
From: Jes Sorensen <jsorensen@fb.com>
45afda
Date: Mon, 13 Apr 2020 18:24:31 -0400
45afda
Subject: [PATCH 30/33] Add --delfilesign flag to delete IMA and fsverity file
45afda
 signatures
45afda
45afda
This allows a user to remove both types of file signatures from the
45afda
package. Previously there was no way to delete IMA signatures, only
45afda
replace them by first removing the package signature and then
45afda
resigning the package and the files.
45afda
45afda
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
45afda
---
45afda
 rpmsign.c        | 12 ++++++++++++
45afda
 sign/rpmgensig.c | 17 ++++++++++++++++-
45afda
 sign/rpmsign.h   |  9 +++++++++
45afda
 3 files changed, 37 insertions(+), 1 deletion(-)
45afda
45afda
diff --git a/rpmsign.c b/rpmsign.c
45afda
index 074dd8b13..e43811e9f 100644
45afda
--- a/rpmsign.c
45afda
+++ b/rpmsign.c
45afda
@@ -14,6 +14,7 @@ enum modes {
45afda
     MODE_ADDSIGN = (1 << 0),
45afda
     MODE_RESIGN  = (1 << 1),
45afda
     MODE_DELSIGN = (1 << 2),
45afda
+    MODE_DELFILESIGN = (1 << 3),
45afda
 };
45afda
 
45afda
 static int mode = MODE_NONE;
45afda
@@ -35,6 +36,10 @@ static struct poptOption signOptsTable[] = {
45afda
 	N_("sign package(s) (identical to --addsign)"), NULL },
45afda
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
45afda
 	N_("delete package signatures"), NULL },
45afda
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
45afda
+    { "delfilesign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode,
45afda
+      MODE_DELFILESIGN,	N_("delete IMA and fsverity file signatures"), NULL },
45afda
+#endif
45afda
     { "rpmv3", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
45afda
 	&sargs.signflags, RPMSIGN_FLAG_RPMV3,
45afda
 	N_("create rpm v3 header+payload signatures") },
45afda
@@ -207,6 +212,13 @@ int main(int argc, char *argv[])
45afda
 		ec++;
45afda
 	}
45afda
 	break;
45afda
+    case MODE_DELFILESIGN:
45afda
+	ec = 0;
45afda
+	while ((arg = poptGetArg(optCon)) != NULL) {
45afda
+	    if (rpmPkgDelFileSign(arg, &sargs) < 0)
45afda
+		ec++;
45afda
+	}
45afda
+	break;
45afda
     case MODE_NONE:
45afda
 	printUsage(optCon, stderr, 0);
45afda
 	break;
45afda
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
45afda
index 8d5c5858f..02cf0bc62 100644
45afda
--- a/sign/rpmgensig.c
45afda
+++ b/sign/rpmgensig.c
45afda
@@ -336,6 +336,14 @@ static void deleteSigs(Header sigh)
45afda
     headerDel(sigh, RPMSIGTAG_PGP5);
45afda
 }
45afda
 
45afda
+static void deleteFileSigs(Header sigh)
45afda
+{
45afda
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURELENGTH);
45afda
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURES);
45afda
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATURES);
45afda
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATUREALGO);
45afda
+}
45afda
+
45afda
 static int haveSignature(rpmtd sigtd, Header h)
45afda
 {
45afda
     pgpDigParams sig1 = NULL;
45afda
@@ -580,7 +588,9 @@ static int rpmSign(const char *rpm, int deleting, int flags)
45afda
 	    goto exit;
45afda
     }
45afda
 
45afda
-    if (deleting) {	/* Nuke all the signature tags. */
45afda
+    if (deleting == 2) {	/* Nuke IMA + fsverity file signature tags. */
45afda
+	deleteFileSigs(sigh);
45afda
+    } else if (deleting) {	/* Nuke all the signature tags. */
45afda
 	deleteSigs(sigh);
45afda
     } else {
45afda
 	/* Signature target containing header + payload */
45afda
@@ -745,3 +755,8 @@ int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args)
45afda
 {
45afda
     return rpmSign(path, 1, 0);
45afda
 }
45afda
+
45afda
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args)
45afda
+{
45afda
+    return rpmSign(path, 2, 0);
45afda
+}
45afda
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
45afda
index 2b8a10a1a..5169741dd 100644
45afda
--- a/sign/rpmsign.h
45afda
+++ b/sign/rpmsign.h
45afda
@@ -44,6 +44,15 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args);
45afda
  */
45afda
 int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args);
45afda
 
45afda
+
45afda
+/** \ingroup rpmsign
45afda
+ * Delete file signature(s) from a package
45afda
+ * @param path		path to package
45afda
+ * @param args		signing parameters (or NULL for defaults)
45afda
+ * @return		0 on success
45afda
+ */
45afda
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args);
45afda
+
45afda
 #ifdef __cplusplus
45afda
 }
45afda
 #endif
45afda
-- 
45afda
2.27.0
45afda