dcavalca / rpms / rpm

Forked from rpms/rpm 2 years ago
Clone
Blob Blame History Raw
From 46db4f6827840e828f42424454410b930895d9a7 Mon Sep 17 00:00:00 2001
From: Jes Sorensen <jsorensen@fb.com>
Date: Mon, 13 Apr 2020 18:24:31 -0400
Subject: [PATCH 30/33] Add --delfilesign flag to delete IMA and fsverity file
 signatures

This allows a user to remove both types of file signatures from the
package. Previously there was no way to delete IMA signatures, only
replace them by first removing the package signature and then
resigning the package and the files.

Signed-off-by: Jes Sorensen <jsorensen@fb.com>
---
 rpmsign.c        | 12 ++++++++++++
 sign/rpmgensig.c | 17 ++++++++++++++++-
 sign/rpmsign.h   |  9 +++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/rpmsign.c b/rpmsign.c
index 074dd8b13..e43811e9f 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -14,6 +14,7 @@ enum modes {
     MODE_ADDSIGN = (1 << 0),
     MODE_RESIGN  = (1 << 1),
     MODE_DELSIGN = (1 << 2),
+    MODE_DELFILESIGN = (1 << 3),
 };
 
 static int mode = MODE_NONE;
@@ -35,6 +36,10 @@ static struct poptOption signOptsTable[] = {
 	N_("sign package(s) (identical to --addsign)"), NULL },
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
 	N_("delete package signatures"), NULL },
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
+    { "delfilesign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode,
+      MODE_DELFILESIGN,	N_("delete IMA and fsverity file signatures"), NULL },
+#endif
     { "rpmv3", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
 	&sargs.signflags, RPMSIGN_FLAG_RPMV3,
 	N_("create rpm v3 header+payload signatures") },
@@ -207,6 +212,13 @@ int main(int argc, char *argv[])
 		ec++;
 	}
 	break;
+    case MODE_DELFILESIGN:
+	ec = 0;
+	while ((arg = poptGetArg(optCon)) != NULL) {
+	    if (rpmPkgDelFileSign(arg, &sargs) < 0)
+		ec++;
+	}
+	break;
     case MODE_NONE:
 	printUsage(optCon, stderr, 0);
 	break;
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index 8d5c5858f..02cf0bc62 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -336,6 +336,14 @@ static void deleteSigs(Header sigh)
     headerDel(sigh, RPMSIGTAG_PGP5);
 }
 
+static void deleteFileSigs(Header sigh)
+{
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURELENGTH);
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURES);
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATURES);
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATUREALGO);
+}
+
 static int haveSignature(rpmtd sigtd, Header h)
 {
     pgpDigParams sig1 = NULL;
@@ -580,7 +588,9 @@ static int rpmSign(const char *rpm, int deleting, int flags)
 	    goto exit;
     }
 
-    if (deleting) {	/* Nuke all the signature tags. */
+    if (deleting == 2) {	/* Nuke IMA + fsverity file signature tags. */
+	deleteFileSigs(sigh);
+    } else if (deleting) {	/* Nuke all the signature tags. */
 	deleteSigs(sigh);
     } else {
 	/* Signature target containing header + payload */
@@ -745,3 +755,8 @@ int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args)
 {
     return rpmSign(path, 1, 0);
 }
+
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args)
+{
+    return rpmSign(path, 2, 0);
+}
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
index 2b8a10a1a..5169741dd 100644
--- a/sign/rpmsign.h
+++ b/sign/rpmsign.h
@@ -44,6 +44,15 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args);
  */
 int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args);
 
+
+/** \ingroup rpmsign
+ * Delete file signature(s) from a package
+ * @param path		path to package
+ * @param args		signing parameters (or NULL for defaults)
+ * @return		0 on success
+ */
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args);
+
 #ifdef __cplusplus
 }
 #endif
-- 
2.27.0