|
|
657fb1 |
From 4276d324bebf442299a90b5a9c4679829ab96385 Mon Sep 17 00:00:00 2001
|
|
|
657fb1 |
From: Panu Matilainen <pmatilai@redhat.com>
|
|
|
657fb1 |
Date: Mon, 2 Mar 2020 14:47:26 +0200
|
|
|
657fb1 |
Subject: [PATCH 13/33] Stop adding rpm v3 header+payload signatures by default
|
|
|
657fb1 |
where not needed
|
|
|
657fb1 |
|
|
|
657fb1 |
On packages where a separate payload digest exists (ie those built with
|
|
|
657fb1 |
rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive
|
|
|
657fb1 |
legacy baggage, as the payload digest will be signed by a header-only
|
|
|
657fb1 |
signature already, without having to recalculate the entire file.
|
|
|
657fb1 |
|
|
|
657fb1 |
Automatically detect the payload digest presence and only add V3
|
|
|
657fb1 |
signatures on packages that need it, but also add an override switch
|
|
|
657fb1 |
to force their addition if needed for compatibility or so. A particular
|
|
|
657fb1 |
use-case would be ability to signature-level verify the entire package
|
|
|
657fb1 |
on rpm older than 4.14.
|
|
|
657fb1 |
|
|
|
657fb1 |
Fixes: #863
|
|
|
657fb1 |
---
|
|
|
657fb1 |
doc/rpmsign.8 | 9 +++++++++
|
|
|
657fb1 |
rpmsign.c | 3 +++
|
|
|
657fb1 |
sign/rpmgensig.c | 24 +++++++++++++++++-------
|
|
|
657fb1 |
sign/rpmsign.h | 1 +
|
|
|
657fb1 |
tests/rpmsigdig.at | 36 ++++++++++++++++++++++++++++++++++--
|
|
|
657fb1 |
5 files changed, 64 insertions(+), 9 deletions(-)
|
|
|
657fb1 |
|
|
|
657fb1 |
diff --git a/doc/rpmsign.8 b/doc/rpmsign.8
|
|
|
657fb1 |
index d895a3b8c..f7ceae89b 100644
|
|
|
657fb1 |
--- a/doc/rpmsign.8
|
|
|
657fb1 |
+++ b/doc/rpmsign.8
|
|
|
657fb1 |
@@ -11,6 +11,7 @@ rpmsign \- RPM Package Signing
|
|
|
657fb1 |
|
|
|
657fb1 |
.SS "rpmsign-options"
|
|
|
657fb1 |
.PP
|
|
|
657fb1 |
+[\fb--rpmv3\fR]
|
|
|
657fb1 |
[\fb--fskpath \fIKEY\fb\fR] [\fB--signfiles\fR]
|
|
|
657fb1 |
|
|
|
657fb1 |
.SH DESCRIPTION
|
|
|
657fb1 |
@@ -32,6 +33,14 @@ Delete all signatures from each package \fIPACKAGE_FILE\fR given.
|
|
|
657fb1 |
.SS "SIGN OPTIONS"
|
|
|
657fb1 |
.PP
|
|
|
657fb1 |
.TP
|
|
|
657fb1 |
+\fB--rpmv3\fR
|
|
|
657fb1 |
+Force RPM V3 header+payload signature addition.
|
|
|
657fb1 |
+These are expensive and redundant baggage on packages where a separate
|
|
|
657fb1 |
+payload digest exists (packages built with rpm >= 4.14). Rpm will
|
|
|
657fb1 |
+automatically detect the need for V3 signatures, but this option can be
|
|
|
657fb1 |
+used to force their creation if the packages must be fully
|
|
|
657fb1 |
+signature verifiable with rpm < 4.14 or other interoperability reasons.
|
|
|
657fb1 |
+.TP
|
|
|
657fb1 |
\fB--fskpath \fIKEY\fB\fR
|
|
|
657fb1 |
Used with \fB--signfiles\fR, use file signing key \fIKey\fR.
|
|
|
657fb1 |
.TP
|
|
|
657fb1 |
diff --git a/rpmsign.c b/rpmsign.c
|
|
|
657fb1 |
index 57cb36919..a74948ba8 100644
|
|
|
657fb1 |
--- a/rpmsign.c
|
|
|
657fb1 |
+++ b/rpmsign.c
|
|
|
657fb1 |
@@ -32,6 +32,9 @@ static struct poptOption signOptsTable[] = {
|
|
|
657fb1 |
N_("sign package(s) (identical to --addsign)"), NULL },
|
|
|
657fb1 |
{ "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
|
|
|
657fb1 |
N_("delete package signatures"), NULL },
|
|
|
657fb1 |
+ { "rpmv3", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
|
|
|
657fb1 |
+ &sargs.signflags, RPMSIGN_FLAG_RPMV3,
|
|
|
657fb1 |
+ N_("create rpm v3 header+payload signatures") },
|
|
|
657fb1 |
#ifdef WITH_IMAEVM
|
|
|
657fb1 |
{ "signfiles", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
|
|
|
657fb1 |
&sargs.signflags, RPMSIGN_FLAG_IMA,
|
|
|
657fb1 |
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
|
|
|
657fb1 |
index 6ab8c23fa..0c6646d85 100644
|
|
|
657fb1 |
--- a/sign/rpmgensig.c
|
|
|
657fb1 |
+++ b/sign/rpmgensig.c
|
|
|
657fb1 |
@@ -377,14 +377,17 @@ static int replaceSignature(Header sigh, sigTarget sigt_v3, sigTarget sigt_v4)
|
|
|
657fb1 |
|
|
|
657fb1 |
if (headerPut(sigh, sigtd, HEADERPUT_DEFAULT) == 0)
|
|
|
657fb1 |
goto exit;
|
|
|
657fb1 |
- rpmtdFree(sigtd);
|
|
|
657fb1 |
|
|
|
657fb1 |
- /* Assume the same signature test holds for v3 signature too */
|
|
|
657fb1 |
- if ((sigtd = makeGPGSignature(sigh, 0, sigt_v3)) == NULL)
|
|
|
657fb1 |
- goto exit;
|
|
|
657fb1 |
+ if (sigt_v3) {
|
|
|
657fb1 |
+ rpmtdFree(sigtd);
|
|
|
657fb1 |
|
|
|
657fb1 |
- if (headerPut(sigh, sigtd, HEADERPUT_DEFAULT) == 0)
|
|
|
657fb1 |
- goto exit;
|
|
|
657fb1 |
+ /* Assume the same signature test holds for v3 signature too */
|
|
|
657fb1 |
+ if ((sigtd = makeGPGSignature(sigh, 0, sigt_v3)) == NULL)
|
|
|
657fb1 |
+ goto exit;
|
|
|
657fb1 |
+
|
|
|
657fb1 |
+ if (headerPut(sigh, sigtd, HEADERPUT_DEFAULT) == 0)
|
|
|
657fb1 |
+ goto exit;
|
|
|
657fb1 |
+ }
|
|
|
657fb1 |
|
|
|
657fb1 |
rc = 0;
|
|
|
657fb1 |
exit:
|
|
|
657fb1 |
@@ -521,6 +524,12 @@ static int rpmSign(const char *rpm, int deleting, int flags)
|
|
|
657fb1 |
goto exit;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
+ /* Always add V3 signatures if no payload digest present */
|
|
|
657fb1 |
+ if (!(headerIsEntry(h, RPMTAG_PAYLOADDIGEST) ||
|
|
|
657fb1 |
+ headerIsEntry(h, RPMTAG_PAYLOADDIGESTALT))) {
|
|
|
657fb1 |
+ flags |= RPMSIGN_FLAG_RPMV3;
|
|
|
657fb1 |
+ }
|
|
|
657fb1 |
+
|
|
|
657fb1 |
unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES);
|
|
|
657fb1 |
origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
|
|
|
657fb1 |
|
|
|
657fb1 |
@@ -533,6 +542,7 @@ static int rpmSign(const char *rpm, int deleting, int flags)
|
|
|
657fb1 |
deleteSigs(sigh);
|
|
|
657fb1 |
} else {
|
|
|
657fb1 |
/* Signature target containing header + payload */
|
|
|
657fb1 |
+ int v3 = (flags & RPMSIGN_FLAG_RPMV3);
|
|
|
657fb1 |
sigt_v3.fd = fd;
|
|
|
657fb1 |
sigt_v3.start = headerStart;
|
|
|
657fb1 |
sigt_v3.fileName = rpm;
|
|
|
657fb1 |
@@ -542,7 +552,7 @@ static int rpmSign(const char *rpm, int deleting, int flags)
|
|
|
657fb1 |
sigt_v4 = sigt_v3;
|
|
|
657fb1 |
sigt_v4.size = headerSizeof(h, HEADER_MAGIC_YES);
|
|
|
657fb1 |
|
|
|
657fb1 |
- res = replaceSignature(sigh, &sigt_v3, &sigt_v4);
|
|
|
657fb1 |
+ res = replaceSignature(sigh, v3 ? &sigt_v3 : NULL, &sigt_v4);
|
|
|
657fb1 |
if (res != 0) {
|
|
|
657fb1 |
if (res == 1) {
|
|
|
657fb1 |
rpmlog(RPMLOG_WARNING,
|
|
|
657fb1 |
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
|
|
|
657fb1 |
index 545e80d2d..7a770d879 100644
|
|
|
657fb1 |
--- a/sign/rpmsign.h
|
|
|
657fb1 |
+++ b/sign/rpmsign.h
|
|
|
657fb1 |
@@ -16,6 +16,7 @@ extern "C" {
|
|
|
657fb1 |
enum rpmSignFlags_e {
|
|
|
657fb1 |
RPMSIGN_FLAG_NONE = 0,
|
|
|
657fb1 |
RPMSIGN_FLAG_IMA = (1 << 0),
|
|
|
657fb1 |
+ RPMSIGN_FLAG_RPMV3 = (1 << 1),
|
|
|
657fb1 |
};
|
|
|
657fb1 |
typedef rpmFlags rpmSignFlags;
|
|
|
657fb1 |
|
|
|
657fb1 |
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
|
|
|
657fb1 |
index f6ad72589..c6f95e997 100644
|
|
|
657fb1 |
--- a/tests/rpmsigdig.at
|
|
|
657fb1 |
+++ b/tests/rpmsigdig.at
|
|
|
657fb1 |
@@ -423,7 +423,7 @@ AT_CLEANUP
|
|
|
657fb1 |
|
|
|
657fb1 |
# ------------------------------
|
|
|
657fb1 |
# Test --addsign
|
|
|
657fb1 |
-AT_SETUP([rpmsign --addsign <unsigned>])
|
|
|
657fb1 |
+AT_SETUP([rpmsign --addsign --rpmv3 <unsigned>])
|
|
|
657fb1 |
AT_KEYWORDS([rpmsign signature])
|
|
|
657fb1 |
AT_CHECK([
|
|
|
657fb1 |
RPMDB_CLEAR
|
|
|
657fb1 |
@@ -431,7 +431,7 @@ RPMDB_INIT
|
|
|
657fb1 |
rm -rf "${TOPDIR}"
|
|
|
657fb1 |
|
|
|
657fb1 |
cp "${RPMTEST}"/data/RPMS/hello-2.0-1.x86_64.rpm "${RPMTEST}"/tmp/
|
|
|
657fb1 |
-run rpmsign --key-id 1964C5FC --addsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64.rpm > /dev/null
|
|
|
657fb1 |
+run rpmsign --key-id 1964C5FC --rpmv3 --addsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64.rpm > /dev/null
|
|
|
657fb1 |
echo PRE-IMPORT
|
|
|
657fb1 |
runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm|grep -v digest
|
|
|
657fb1 |
echo POST-IMPORT
|
|
|
657fb1 |
@@ -456,6 +456,38 @@ POST-DELSIGN
|
|
|
657fb1 |
[])
|
|
|
657fb1 |
AT_CLEANUP
|
|
|
657fb1 |
|
|
|
657fb1 |
+# Test --addsign
|
|
|
657fb1 |
+AT_SETUP([rpmsign --addsign <unsigned>])
|
|
|
657fb1 |
+AT_KEYWORDS([rpmsign signature])
|
|
|
657fb1 |
+AT_CHECK([
|
|
|
657fb1 |
+RPMDB_CLEAR
|
|
|
657fb1 |
+RPMDB_INIT
|
|
|
657fb1 |
+rm -rf "${TOPDIR}"
|
|
|
657fb1 |
+
|
|
|
657fb1 |
+cp "${RPMTEST}"/data/RPMS/hello-2.0-1.x86_64.rpm "${RPMTEST}"/tmp/
|
|
|
657fb1 |
+run rpmsign --key-id 1964C5FC --addsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64.rpm > /dev/null
|
|
|
657fb1 |
+echo PRE-IMPORT
|
|
|
657fb1 |
+runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm|grep -v digest
|
|
|
657fb1 |
+echo POST-IMPORT
|
|
|
657fb1 |
+runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
|
|
|
657fb1 |
+runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm|grep -v digest
|
|
|
657fb1 |
+run rpmsign --delsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64.rpm > /dev/null
|
|
|
657fb1 |
+echo POST-DELSIGN
|
|
|
657fb1 |
+runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm|grep -v digest
|
|
|
657fb1 |
+],
|
|
|
657fb1 |
+[0],
|
|
|
657fb1 |
+[PRE-IMPORT
|
|
|
657fb1 |
+/tmp/hello-2.0-1.x86_64.rpm:
|
|
|
657fb1 |
+ Header V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
|
|
|
657fb1 |
+POST-IMPORT
|
|
|
657fb1 |
+/tmp/hello-2.0-1.x86_64.rpm:
|
|
|
657fb1 |
+ Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
|
|
|
657fb1 |
+POST-DELSIGN
|
|
|
657fb1 |
+/tmp/hello-2.0-1.x86_64.rpm:
|
|
|
657fb1 |
+],
|
|
|
657fb1 |
+[])
|
|
|
657fb1 |
+AT_CLEANUP
|
|
|
657fb1 |
+
|
|
|
657fb1 |
# ------------------------------
|
|
|
657fb1 |
# Test --delsign
|
|
|
657fb1 |
AT_SETUP([rpmsign --delsign <package>])
|
|
|
657fb1 |
--
|
|
|
657fb1 |
2.13.5
|
|
|
657fb1 |
|