malmond / rpms / rpm

Forked from rpms/rpm 4 years ago
Clone

Blame SOURCES/0031-Add-delfilesign-flag-to-delete-IMA-and-fsverity-file.patch

657fb1
From 9c1677d5366d8e2c299285bb09750b3f436cf385 Mon Sep 17 00:00:00 2001
657fb1
From: Jes Sorensen <jsorensen@fb.com>
657fb1
Date: Mon, 13 Apr 2020 18:24:31 -0400
657fb1
Subject: [PATCH 31/33] Add --delfilesign flag to delete IMA and fsverity file
657fb1
 signatures
657fb1
657fb1
This allows a user to remove both types of file signatures from the
657fb1
package. Previously there was no way to delete IMA signatures, only
657fb1
replace them by first removing the package signature and then
657fb1
resigning the package and the files.
657fb1
657fb1
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
657fb1
---
657fb1
 rpmsign.c        | 12 ++++++++++++
657fb1
 sign/rpmgensig.c | 17 ++++++++++++++++-
657fb1
 sign/rpmsign.h   |  9 +++++++++
657fb1
 3 files changed, 37 insertions(+), 1 deletion(-)
657fb1
657fb1
diff --git a/rpmsign.c b/rpmsign.c
657fb1
index 074dd8b13..e43811e9f 100644
657fb1
--- a/rpmsign.c
657fb1
+++ b/rpmsign.c
657fb1
@@ -14,6 +14,7 @@ enum modes {
657fb1
     MODE_ADDSIGN = (1 << 0),
657fb1
     MODE_RESIGN  = (1 << 1),
657fb1
     MODE_DELSIGN = (1 << 2),
657fb1
+    MODE_DELFILESIGN = (1 << 3),
657fb1
 };
657fb1
 
657fb1
 static int mode = MODE_NONE;
657fb1
@@ -35,6 +36,10 @@ static struct poptOption signOptsTable[] = {
657fb1
 	N_("sign package(s) (identical to --addsign)"), NULL },
657fb1
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
657fb1
 	N_("delete package signatures"), NULL },
657fb1
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
657fb1
+    { "delfilesign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode,
657fb1
+      MODE_DELFILESIGN,	N_("delete IMA and fsverity file signatures"), NULL },
657fb1
+#endif
657fb1
     { "rpmv3", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
657fb1
 	&sargs.signflags, RPMSIGN_FLAG_RPMV3,
657fb1
 	N_("create rpm v3 header+payload signatures") },
657fb1
@@ -207,6 +212,13 @@ int main(int argc, char *argv[])
657fb1
 		ec++;
657fb1
 	}
657fb1
 	break;
657fb1
+    case MODE_DELFILESIGN:
657fb1
+	ec = 0;
657fb1
+	while ((arg = poptGetArg(optCon)) != NULL) {
657fb1
+	    if (rpmPkgDelFileSign(arg, &sargs) < 0)
657fb1
+		ec++;
657fb1
+	}
657fb1
+	break;
657fb1
     case MODE_NONE:
657fb1
 	printUsage(optCon, stderr, 0);
657fb1
 	break;
657fb1
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
657fb1
index 78da1347b..f2fddb898 100644
657fb1
--- a/sign/rpmgensig.c
657fb1
+++ b/sign/rpmgensig.c
657fb1
@@ -336,6 +336,14 @@ static void deleteSigs(Header sigh)
657fb1
     headerDel(sigh, RPMSIGTAG_PGP5);
657fb1
 }
657fb1
 
657fb1
+static void deleteFileSigs(Header sigh)
657fb1
+{
657fb1
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURELENGTH);
657fb1
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURES);
657fb1
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATURES);
657fb1
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATUREALGO);
657fb1
+}
657fb1
+
657fb1
 static int haveSignature(rpmtd sigtd, Header h)
657fb1
 {
657fb1
     pgpDigParams sig1 = NULL;
657fb1
@@ -574,7 +582,9 @@ static int rpmSign(const char *rpm, int deleting, int flags)
657fb1
 	    goto exit;
657fb1
     }
657fb1
 
657fb1
-    if (deleting) {	/* Nuke all the signature tags. */
657fb1
+    if (deleting == 2) {	/* Nuke IMA + fsverity file signature tags. */
657fb1
+	deleteFileSigs(sigh);
657fb1
+    } else if (deleting) {	/* Nuke all the signature tags. */
657fb1
 	deleteSigs(sigh);
657fb1
     } else {
657fb1
 	/* Signature target containing header + payload */
657fb1
@@ -739,3 +749,8 @@ int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args)
657fb1
 {
657fb1
     return rpmSign(path, 1, 0);
657fb1
 }
657fb1
+
657fb1
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args)
657fb1
+{
657fb1
+    return rpmSign(path, 2, 0);
657fb1
+}
657fb1
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
657fb1
index 2b8a10a1a..5169741dd 100644
657fb1
--- a/sign/rpmsign.h
657fb1
+++ b/sign/rpmsign.h
657fb1
@@ -44,6 +44,15 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args);
657fb1
  */
657fb1
 int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args);
657fb1
 
657fb1
+
657fb1
+/** \ingroup rpmsign
657fb1
+ * Delete file signature(s) from a package
657fb1
+ * @param path		path to package
657fb1
+ * @param args		signing parameters (or NULL for defaults)
657fb1
+ * @return		0 on success
657fb1
+ */
657fb1
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args);
657fb1
+
657fb1
 #ifdef __cplusplus
657fb1
 }
657fb1
 #endif
657fb1
-- 
657fb1
2.13.5
657fb1