michal-grzedzicki / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone

Blame 0030-Add-delfilesign-flag-to-delete-IMA-and-fsverity-file.patch

45e748
From 46db4f6827840e828f42424454410b930895d9a7 Mon Sep 17 00:00:00 2001
45e748
From: Jes Sorensen <jsorensen@fb.com>
45e748
Date: Mon, 13 Apr 2020 18:24:31 -0400
45e748
Subject: [PATCH 30/33] Add --delfilesign flag to delete IMA and fsverity file
45e748
 signatures
45e748
45e748
This allows a user to remove both types of file signatures from the
45e748
package. Previously there was no way to delete IMA signatures, only
45e748
replace them by first removing the package signature and then
45e748
resigning the package and the files.
45e748
45e748
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
45e748
---
45e748
 rpmsign.c        | 12 ++++++++++++
45e748
 sign/rpmgensig.c | 17 ++++++++++++++++-
45e748
 sign/rpmsign.h   |  9 +++++++++
45e748
 3 files changed, 37 insertions(+), 1 deletion(-)
45e748
45e748
diff --git a/rpmsign.c b/rpmsign.c
45e748
index 074dd8b13..e43811e9f 100644
45e748
--- a/rpmsign.c
45e748
+++ b/rpmsign.c
45e748
@@ -14,6 +14,7 @@ enum modes {
45e748
     MODE_ADDSIGN = (1 << 0),
45e748
     MODE_RESIGN  = (1 << 1),
45e748
     MODE_DELSIGN = (1 << 2),
45e748
+    MODE_DELFILESIGN = (1 << 3),
45e748
 };
45e748
 
45e748
 static int mode = MODE_NONE;
45e748
@@ -35,6 +36,10 @@ static struct poptOption signOptsTable[] = {
45e748
 	N_("sign package(s) (identical to --addsign)"), NULL },
45e748
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
45e748
 	N_("delete package signatures"), NULL },
45e748
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
45e748
+    { "delfilesign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode,
45e748
+      MODE_DELFILESIGN,	N_("delete IMA and fsverity file signatures"), NULL },
45e748
+#endif
45e748
     { "rpmv3", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
45e748
 	&sargs.signflags, RPMSIGN_FLAG_RPMV3,
45e748
 	N_("create rpm v3 header+payload signatures") },
45e748
@@ -207,6 +212,13 @@ int main(int argc, char *argv[])
45e748
 		ec++;
45e748
 	}
45e748
 	break;
45e748
+    case MODE_DELFILESIGN:
45e748
+	ec = 0;
45e748
+	while ((arg = poptGetArg(optCon)) != NULL) {
45e748
+	    if (rpmPkgDelFileSign(arg, &sargs) < 0)
45e748
+		ec++;
45e748
+	}
45e748
+	break;
45e748
     case MODE_NONE:
45e748
 	printUsage(optCon, stderr, 0);
45e748
 	break;
45e748
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
45e748
index 8d5c5858f..02cf0bc62 100644
45e748
--- a/sign/rpmgensig.c
45e748
+++ b/sign/rpmgensig.c
45e748
@@ -336,6 +336,14 @@ static void deleteSigs(Header sigh)
45e748
     headerDel(sigh, RPMSIGTAG_PGP5);
45e748
 }
45e748
 
45e748
+static void deleteFileSigs(Header sigh)
45e748
+{
45e748
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURELENGTH);
45e748
+    headerDel(sigh, RPMSIGTAG_FILESIGNATURES);
45e748
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATURES);
45e748
+    headerDel(sigh, RPMSIGTAG_VERITYSIGNATUREALGO);
45e748
+}
45e748
+
45e748
 static int haveSignature(rpmtd sigtd, Header h)
45e748
 {
45e748
     pgpDigParams sig1 = NULL;
45e748
@@ -580,7 +588,9 @@ static int rpmSign(const char *rpm, int deleting, int flags)
45e748
 	    goto exit;
45e748
     }
45e748
 
45e748
-    if (deleting) {	/* Nuke all the signature tags. */
45e748
+    if (deleting == 2) {	/* Nuke IMA + fsverity file signature tags. */
45e748
+	deleteFileSigs(sigh);
45e748
+    } else if (deleting) {	/* Nuke all the signature tags. */
45e748
 	deleteSigs(sigh);
45e748
     } else {
45e748
 	/* Signature target containing header + payload */
45e748
@@ -745,3 +755,8 @@ int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args)
45e748
 {
45e748
     return rpmSign(path, 1, 0);
45e748
 }
45e748
+
45e748
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args)
45e748
+{
45e748
+    return rpmSign(path, 2, 0);
45e748
+}
45e748
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
45e748
index 2b8a10a1a..5169741dd 100644
45e748
--- a/sign/rpmsign.h
45e748
+++ b/sign/rpmsign.h
45e748
@@ -44,6 +44,15 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args);
45e748
  */
45e748
 int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args);
45e748
 
45e748
+
45e748
+/** \ingroup rpmsign
45e748
+ * Delete file signature(s) from a package
45e748
+ * @param path		path to package
45e748
+ * @param args		signing parameters (or NULL for defaults)
45e748
+ * @return		0 on success
45e748
+ */
45e748
+int rpmPkgDelFileSign(const char *path, const struct rpmSignArgs * args);
45e748
+
45e748
 #ifdef __cplusplus
45e748
 }
45e748
 #endif
45e748
-- 
45e748
2.27.0
45e748