|
 |
657fb1 |
From 9c1677d5366d8e2c299285bb09750b3f436cf385 Mon Sep 17 00:00:00 2001
|
|
|
657fb1 |
From: Jes Sorensen <jsorensen@fb.com>
|
|
|
657fb1 |
Date: Mon, 13 Apr 2020 18:24:31 -0400
|
|
|
657fb1 |
Subject: [PATCH 31/33] Add --delfilesign flag to delete IMA and fsverity file
|
|
|
657fb1 |
signatures
|
|
|
657fb1 |
|
|
|
657fb1 |
This allows a user to remove both types of file signatures from the
|
|
|
657fb1 |
package. Previously there was no way to delete IMA signatures, only
|
|
|
657fb1 |
replace them by first removing the package signature and then
|
|
|
657fb1 |
resigning the package and the files.
|
|
|
657fb1 |
|
|
|
657fb1 |
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
|
|
|
657fb1 |
---
|
|
|
657fb1 |
rpmsign.c | 12 ++++++++++++
|
|
|
657fb1 |
sign/rpmgensig.c | 17 ++++++++++++++++-
|
|
|
657fb1 |
sign/rpmsign.h | 9 +++++++++
|
|
|
657fb1 |
3 files changed, 37 insertions(+), 1 deletion(-)
|
|
|
657fb1 |
|
|
|
657fb1 |
diff --git a/rpmsign.c b/rpmsign.c
|
|
|
657fb1 |
index 074dd8b13..e43811e9f 100644
|
|
|
657fb1 |
--- a/rpmsign.c
|
|
|
657fb1 |
+++ b/rpmsign.c
|
|
|
657fb1 |
@@ -14,6 +14,7 @@ enum modes {
|
|
|
657fb1 |
MODE_ADDSIGN = (1 << 0),
|
|
|
657fb1 |
MODE_RESIGN = (1 << 1),
|
|
|
657fb1 |
MODE_DELSIGN = (1 << 2),
|
|
|
657fb1 |
+ MODE_DELFILESIGN = (1 << 3),
|
|
|
657fb1 |
};
|
|
|
657fb1 |
|
|
|
657fb1 |
static int mode = MODE_NONE;
|
|
|
657fb1 |
@@ -35,6 +36,10 @@ static struct poptOption signOptsTable[] = {
|
|
|
657fb1 |
N_("sign package(s) (identical to --addsign)"), NULL },
|
|
|
657fb1 |
{ "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
|
|
|
657fb1 |
N_("delete package signatures"), NULL },
|
|
|
657fb1 |
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
|
|
|
657fb1 |
+ { "delfilesign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode,
|
|
|
657fb1 |
+ MODE_DELFILESIGN, N_("delete IMA and fsverity file signatures"), NULL },
|
|
|
657fb1 |
+#endif
|
|
|
657fb1 |
{ "rpmv3", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
|
|
|
657fb1 |
&sargs.signflags, RPMSIGN_FLAG_RPMV3,
|
|
|
657fb1 |
N_("create rpm v3 header+payload signatures") },
|
|
|
657fb1 |
@@ -207,6 +212,13 @@ int main(int argc, char *argv[])
|
|
|
657fb1 |
ec++;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
break;
|
|
|
657fb1 |
+ case MODE_DELFILESIGN:
|
|
|
657fb1 |
+ ec = 0;
|
|
|
657fb1 |
+ while ((arg = poptGetArg(optCon)) != NULL) {
|
|
|
657fb1 |
+ if (rpmPkgDelFileSign(arg, &sargs) < 0)
|
|
|
657fb1 |
+ ec++;
|
|
|
657fb1 |
+ }
|
|
|
657fb1 |
+ break;
|
|
|
657fb1 |
case MODE_NONE:
|
|
|
657fb1 |
printUsage(optCon, stderr, 0);
|
|
|
657fb1 |
break;
|
|
|
657fb1 |
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
|
|
|
657fb1 |
index 78da1347b..f2fddb898 100644
|
|
|
657fb1 |
--- a/sign/rpmgensig.c
|
|
|
657fb1 |
+++ b/sign/rpmgensig.c
|
|
|
657fb1 |
@@ -336,6 +336,14 @@ static void deleteSigs(Header sigh)
|
|
|
657fb1 |
headerDel(sigh, RPMSIGTAG_PGP5);
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
+static void deleteFileSigs(Header sigh)
|
|
|
657fb1 |
+{
|
|
|
657fb1 |
+ headerDel(sigh, RPMSIGTAG_FILESIGNATURELENGTH);
|
|
|
657fb1 |
+ headerDel(sigh, RPMSIGTAG_FILESIGNATURES);
|
|
|
657fb1 |
+ headerDel(sigh, RPMSIGTAG_VERITYSIGNATURES);
|
|
|
657fb1 |
+ headerDel(sigh, RPMSIGTAG_VERITYSIGNATUREALGO);
|
|
|
657fb1 |
+}
|
|
|
657fb1 |
+
|
|
|
657fb1 |
static int haveSignature(rpmtd sigtd, Header h)
|
|
|
657fb1 |
{
|
|
|
657fb1 |
pgpDigParams sig1 = NULL;
|
|
|
657fb1 |
@@ -574,7 +582,9 @@ static int rpmSign(const char *rpm, int deleting, int flags)
|
|
|
657fb1 |
goto exit;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
- if (deleting) { /* Nuke all the signature tags. */
|
|
|
657fb1 |
+ if (deleting == 2) { /* Nuke IMA + fsverity file signature tags. */
|
|
|
657fb1 |
+ deleteFileSigs(sigh);
|
|
|
657fb1 |
+ } else if (deleting) { /* Nuke all the signature tags. */
|
|
|
657fb1 |
deleteSigs(sigh);
|
|
|
657fb1 |
} else {
|
|
|
657fb1 |
/* Signature target containing header + payload */
|
|
|
657fb1 |
@@ -739,3 +749,8 @@ int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args)
|
|
|
657fb1 |
{
|
|
|
657fb1 |
return rpmSign(path, 1, 0);
|
|
|
657fb1 |
}
|
|
|
657fb1 |
+
|
|
|
657fb1 |
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args)
|
|
|
657fb1 |
+{
|
|
|
657fb1 |
+ return rpmSign(path, 2, 0);
|
|
|
657fb1 |
+}
|
|
|
657fb1 |
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
|
|
|
657fb1 |
index 2b8a10a1a..5169741dd 100644
|
|
|
657fb1 |
--- a/sign/rpmsign.h
|
|
|
657fb1 |
+++ b/sign/rpmsign.h
|
|
|
657fb1 |
@@ -44,6 +44,15 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args);
|
|
|
657fb1 |
*/
|
|
|
657fb1 |
int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args);
|
|
|
657fb1 |
|
|
|
657fb1 |
+
|
|
|
657fb1 |
+/** \ingroup rpmsign
|
|
|
657fb1 |
+ * Delete file signature(s) from a package
|
|
|
657fb1 |
+ * @param path path to package
|
|
|
657fb1 |
+ * @param args signing parameters (or NULL for defaults)
|
|
|
657fb1 |
+ * @return 0 on success
|
|
|
657fb1 |
+ */
|
|
|
657fb1 |
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args);
|
|
|
657fb1 |
+
|
|
|
657fb1 |
#ifdef __cplusplus
|
|
|
657fb1 |
}
|
|
|
657fb1 |
#endif
|
|
|
657fb1 |
--
|
|
|
657fb1 |
2.13.5
|
|
|
657fb1 |
|