teknoraver / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone
Source Code
GIT

Blame 0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch

c10s-sig-hyperscale c8 c8s c8s-sig-hyperscale c9 c9s-sig-hyperscale
  1.   d52e85c0332de7e6962eefcb4714ca4081900d76
  2.   0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch
Blob History Raw
Florian Festi 3913b4 
From 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3 Mon Sep 17 00:00:00 2001
Panu Matilainen 8a4b8c 
From: "Neal H. Walfield" <neal@pep.foundation>
Panu Matilainen 8a4b8c 
Date: Wed, 12 Apr 2023 17:56:19 +0200
Panu Matilainen 8a4b8c 
Subject: [PATCH] Add pgpVerifySignature2() and pgpPrtParams2()
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
Add new functions pgpVerifySignature2() and pgpPrtParams2(), which are
Panu Matilainen 8a4b8c 
like their earlier versions, but optionally return descriptive error
Panu Matilainen 8a4b8c 
messages (in the case of failure) or lints (in the case of success).
Panu Matilainen 8a4b8c 
Adjust tests accordingly.
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
This requires rpm-sequoia 1.4 or later.
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
See https://github.com/rpm-software-management/rpm-sequoia/issues/39
Panu Matilainen 8a4b8c 
and
Panu Matilainen 8a4b8c 
https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1482646398
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
Fixes #2483.
Panu Matilainen 8a4b8c 
---
Florian Festi 3913b4 
 ci/Dockerfile           |  2 ++
Florian Festi 3913b4 
 include/rpm/rpmpgp.h    | 23 +++++++++++++++++++
Florian Festi 3913b4 
 lib/rpmvs.c             | 19 +++++++++++++---
Florian Festi 3913b4 
 rpmio/CMakeLists.txt    |  2 +-
Florian Festi 3913b4 
 rpmio/rpmkeyring.c      |  7 +++++-
Florian Festi 3913b4 
 rpmio/rpmpgp_internal.c | 15 +++++++++++++
Florian Festi 3913b4 
 rpmio/rpmpgp_sequoia.c  |  7 ++++++
Florian Festi 3913b4 
 tests/rpmi.at           | 10 +++++++--
Florian Festi 3913b4 
 tests/rpmsigdig.at      | 50 +++++++++++++++++++++++++++++++----------
Florian Festi 3913b4 
 9 files changed, 116 insertions(+), 19 deletions(-)
Panu Matilainen 8a4b8c
Florian Festi 3913b4 
diff --git a/ci/Dockerfile b/ci/Dockerfile
Florian Festi 3913b4 
index d8f808962..552934fcd 100644
Florian Festi 3913b4 
--- a/ci/Dockerfile
Florian Festi 3913b4 
+++ b/ci/Dockerfile
Florian Festi 3913b4 
@@ -7,6 +7,8 @@ RUN sed -i -e "s:^enabled=.$:enabled=0:g" /etc/yum.repos.d/*openh264.repo
Florian Festi 3913b4 
 # dummy for controlling per-repo gpgcheck via Semaphore setup
Florian Festi 3913b4 
 RUN sed -i -e "s:^gpgcheck=.$:gpgcheck=1:g" /etc/yum.repos.d/*.repo
Florian Festi 3913b4 
 RUN dnf -y update
Florian Festi 3913b4 
+# until 1.4.0 lands in stable
Florian Festi 3913b4 
+RUN dnf -y --enablerepo=updates-testing install "rpm-sequoia-devel >= 1.4.0"
Florian Festi 3913b4 
 RUN dnf -y install \
Florian Festi 3913b4 
   autoconf \
Florian Festi 3913b4 
   cmake \
Panu Matilainen 8a4b8c 
diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h
Florian Festi 3913b4 
index 87a2a5bd2..675cbad73 100644
Panu Matilainen 8a4b8c 
--- a/include/rpm/rpmpgp.h
Panu Matilainen 8a4b8c 
+++ b/include/rpm/rpmpgp.h
Florian Festi 3913b4 
@@ -1009,6 +1009,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid);
Panu Matilainen 8a4b8c 
 int pgpPrtParams(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
Panu Matilainen 8a4b8c 
 		 pgpDigParams * ret);
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
+/** \ingroup rpmpgp
Panu Matilainen 8a4b8c 
+ * Parse a OpenPGP packet(s).
Panu Matilainen 8a4b8c 
+ * @param pkts		OpenPGP packet(s)
Panu Matilainen 8a4b8c 
+ * @param pktlen	OpenPGP packet(s) length (no. of bytes)
Panu Matilainen 8a4b8c 
+ * @param pkttype	Expected packet type (signature/key) or 0 for any
Panu Matilainen 8a4b8c 
+ * @param[out] ret	signature/pubkey packet parameters on success (alloced)
Panu Matilainen 8a4b8c 
+ * @param[out] lints	error messages and lints
Panu Matilainen 8a4b8c 
+ * @return		-1 on error, 0 on success
Panu Matilainen 8a4b8c 
+ */
Panu Matilainen 8a4b8c 
+int pgpPrtParams2(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
Panu Matilainen 8a4b8c 
+		 pgpDigParams * ret, char **lints);
Panu Matilainen 8a4b8c 
+
Panu Matilainen 8a4b8c 
 /** \ingroup rpmpgp
Panu Matilainen 8a4b8c 
  * Parse subkey parameters from OpenPGP packet(s).
Panu Matilainen 8a4b8c 
  * @param pkts		OpenPGP packet(s)
Florian Festi 3913b4 
@@ -1186,6 +1198,17 @@ pgpDigParams pgpDigParamsFree(pgpDigParams digp);
Panu Matilainen 8a4b8c 
  */
Florian Festi 3913b4 
 rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx);
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
+/** \ingroup rpmpgp
Panu Matilainen 8a4b8c 
+ * Verify a PGP signature and return a error message or lint.
Panu Matilainen 8a4b8c 
+ * @param key		public key
Panu Matilainen 8a4b8c 
+ * @param sig		signature
Panu Matilainen 8a4b8c 
+ * @param hashctx	digest context
Panu Matilainen 8a4b8c 
+ * @param lints	error messages and lints
Panu Matilainen 8a4b8c 
+ * @return 		RPMRC_OK on success
Panu Matilainen 8a4b8c 
+ */
Panu Matilainen 8a4b8c 
+rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx,
Panu Matilainen 8a4b8c 
+                          char **lints);
Panu Matilainen 8a4b8c 
+
Panu Matilainen 8a4b8c 
 /** \ingroup rpmpgp
Florian Festi 3913b4 
  * Return the type of a PGP signature. If `sig` is NULL, or is not a signature,
Florian Festi 3913b4 
  * returns -1.
Panu Matilainen 8a4b8c 
diff --git a/lib/rpmvs.c b/lib/rpmvs.c
Panu Matilainen 8a4b8c 
index a1425ea17..9b2106927 100644
Panu Matilainen 8a4b8c 
--- a/lib/rpmvs.c
Panu Matilainen 8a4b8c 
+++ b/lib/rpmvs.c
Panu Matilainen 8a4b8c 
@@ -193,10 +193,23 @@ static void rpmsinfoInit(const struct vfyinfo_s *vinfo,
Panu Matilainen 8a4b8c 
     }
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
     if (sinfo->type == RPMSIG_SIGNATURE_TYPE) {
Panu Matilainen 8a4b8c 
-	if (pgpPrtParams(data, dlen, PGPTAG_SIGNATURE, &sinfo->sig)) {
Panu Matilainen 8a4b8c 
-	    rasprintf(&sinfo->msg, _("%s tag %u: invalid OpenPGP signature"),
Panu Matilainen 8a4b8c 
-		    origin, td->tag);
Panu Matilainen 8a4b8c 
+	char *lints = NULL;
Panu Matilainen 8a4b8c 
+        int ec = pgpPrtParams2(data, dlen, PGPTAG_SIGNATURE, &sinfo->sig, &lints);
Panu Matilainen 8a4b8c 
+	if (ec) {
Panu Matilainen 8a4b8c 
+	    if (lints) {
Panu Matilainen 8a4b8c 
+		rasprintf(&sinfo->msg,
Panu Matilainen 8a4b8c 
+			("%s tag %u: invalid OpenPGP signature: %s"),
Panu Matilainen 8a4b8c 
+			origin, td->tag, lints);
Panu Matilainen 8a4b8c 
+		free(lints);
Panu Matilainen 8a4b8c 
+	    } else {
Panu Matilainen 8a4b8c 
+		rasprintf(&sinfo->msg,
Panu Matilainen 8a4b8c 
+			_("%s tag %u: invalid OpenPGP signature"),
Panu Matilainen 8a4b8c 
+			origin, td->tag);
Panu Matilainen 8a4b8c 
+	    }
Panu Matilainen 8a4b8c 
 	    goto exit;
Panu Matilainen 8a4b8c 
+	} else if (lints) {
Panu Matilainen 8a4b8c 
+	    rpmlog(RPMLOG_WARNING, "%s\n", lints);
Panu Matilainen 8a4b8c 
+	    free(lints);
Panu Matilainen 8a4b8c 
 	}
Panu Matilainen 8a4b8c 
 	sinfo->hashalgo = pgpDigParamsAlgo(sinfo->sig, PGPVAL_HASHALGO);
Panu Matilainen 8a4b8c 
 	sinfo->keyid = pgpGrab(pgpDigParamsSignID(sinfo->sig)+4, 4);
Florian Festi 3913b4 
diff --git a/rpmio/CMakeLists.txt b/rpmio/CMakeLists.txt
Florian Festi 3913b4 
index 2fb5794b0..6aa9ab1f1 100644
Florian Festi 3913b4 
--- a/rpmio/CMakeLists.txt
Florian Festi 3913b4 
+++ b/rpmio/CMakeLists.txt
Florian Festi 3913b4 
@@ -21,7 +21,7 @@ if (WITH_INTERNAL_OPENPGP)
Florian Festi 3913b4 
 		target_link_libraries(librpmio PRIVATE PkgConfig::LIBGCRYPT)
Florian Festi 3913b4 
 	endif()
Florian Festi 3913b4 
 else()
Florian Festi 3913b4 
-	pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.3.0)
Florian Festi 3913b4 
+	pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.4.0)
Florian Festi 3913b4 
 	target_sources(librpmio PRIVATE rpmpgp_sequoia.c)
Florian Festi 3913b4 
 	target_link_libraries(librpmio PRIVATE PkgConfig::RPMSEQUOIA)
Florian Festi 3913b4 
 endif()
Panu Matilainen 8a4b8c 
diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c
Florian Festi 3913b4 
index 166ee43a2..e3eb9e6ea 100644
Panu Matilainen 8a4b8c 
--- a/rpmio/rpmkeyring.c
Panu Matilainen 8a4b8c 
+++ b/rpmio/rpmkeyring.c
Florian Festi 3913b4 
@@ -276,7 +276,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
Panu Matilainen 8a4b8c 
 	    pgpkey = key->pgpkey;
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
 	/* We call verify even if key not found for a signature sanity check */
Panu Matilainen 8a4b8c 
-	rc = pgpVerifySignature(pgpkey, sig, ctx);
Panu Matilainen 8a4b8c 
+	char *lints = NULL;
Panu Matilainen 8a4b8c 
+	rc = pgpVerifySignature2(pgpkey, sig, ctx, &lints);
Panu Matilainen 8a4b8c 
+	if (lints) {
Panu Matilainen 8a4b8c 
+	    rpmlog(rc ? RPMLOG_ERR : RPMLOG_WARNING, "%s\n", lints);
Panu Matilainen 8a4b8c 
+	    free(lints);
Panu Matilainen 8a4b8c 
+	}
Panu Matilainen 8a4b8c 
     }
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
     if (keyring)
Panu Matilainen 8a4b8c 
diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c
Florian Festi 3913b4 
index ce1d3c27d..82972bcc8 100644
Panu Matilainen 8a4b8c 
--- a/rpmio/rpmpgp_internal.c
Panu Matilainen 8a4b8c 
+++ b/rpmio/rpmpgp_internal.c
Florian Festi 3913b4 
@@ -1043,6 +1043,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
Panu Matilainen 8a4b8c 
     return rc;
Panu Matilainen 8a4b8c 
 }
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
+int pgpPrtParams2(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
Panu Matilainen 8a4b8c 
+                  pgpDigParams * ret, char **lints)
Panu Matilainen 8a4b8c 
+{
Panu Matilainen 8a4b8c 
+    if (lints)
Panu Matilainen 8a4b8c 
+        *lints = NULL;
Panu Matilainen 8a4b8c 
+    return pgpPrtParams(pkts, pktlen, pkttype, ret);
Panu Matilainen 8a4b8c 
+}
Panu Matilainen 8a4b8c 
+
Panu Matilainen 8a4b8c 
 int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
Panu Matilainen 8a4b8c 
 			pgpDigParams mainkey, pgpDigParams **subkeys,
Panu Matilainen 8a4b8c 
 			int *subkeysCount)
Florian Festi 3913b4 
@@ -1179,6 +1187,13 @@ exit:
Florian Festi 3913b4
Panu Matilainen 8a4b8c 
 }
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
+rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints)
Panu Matilainen 8a4b8c 
+{
Panu Matilainen 8a4b8c 
+    if (lints)
Panu Matilainen 8a4b8c 
+        *lints = NULL;
Panu Matilainen 8a4b8c 
+    return pgpVerifySignature(key, sig, hashctx);
Panu Matilainen 8a4b8c 
+}
Panu Matilainen 8a4b8c 
+
Panu Matilainen 8a4b8c 
 static pgpArmor decodePkts(uint8_t *b, uint8_t **pkt, size_t *pktlen)
Panu Matilainen 8a4b8c 
 {
Panu Matilainen 8a4b8c 
     const char * enc = NULL;
Panu Matilainen 8a4b8c 
diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c
Florian Festi 3913b4 
index c6434270a..d0b673953 100644
Panu Matilainen 8a4b8c 
--- a/rpmio/rpmpgp_sequoia.c
Panu Matilainen 8a4b8c 
+++ b/rpmio/rpmpgp_sequoia.c
Panu Matilainen 8a4b8c 
@@ -36,6 +36,9 @@ W(uint32_t, pgpDigParamsCreationTime, (pgpDigParams digp), (digp))
Panu Matilainen 8a4b8c 
 W(rpmRC, pgpVerifySignature,
Panu Matilainen 8a4b8c 
   (pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx),
Panu Matilainen 8a4b8c 
   (key, sig, hashctx))
Panu Matilainen 8a4b8c 
+W(rpmRC, pgpVerifySignature2,
Panu Matilainen 8a4b8c 
+  (pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints),
Panu Matilainen 8a4b8c 
+  (key, sig, hashctx, lints))
Panu Matilainen 8a4b8c 
 W(int, pgpPubkeyKeyID,
Panu Matilainen 8a4b8c 
   (const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid),
Panu Matilainen 8a4b8c 
   (pkt, pktlen, keyid))
Panu Matilainen 8a4b8c 
@@ -51,6 +54,10 @@ W(int, pgpPubKeyCertLen,
Panu Matilainen 8a4b8c 
 W(int, pgpPrtParams,
Panu Matilainen 8a4b8c 
   (const uint8_t *pkts, size_t pktlen, unsigned int pkttype, pgpDigParams *ret),
Panu Matilainen 8a4b8c 
   (pkts, pktlen, pkttype, ret))
Panu Matilainen 8a4b8c 
+W(int, pgpPrtParams2,
Panu Matilainen 8a4b8c 
+  (const uint8_t *pkts, size_t pktlen, unsigned int pkttype, pgpDigParams *ret,
Panu Matilainen 8a4b8c 
+   char **lints),
Panu Matilainen 8a4b8c 
+  (pkts, pktlen, pkttype, ret, lints))
Panu Matilainen 8a4b8c 
 W(int, pgpPrtParamsSubkeys,
Panu Matilainen 8a4b8c 
   (const uint8_t *pkts, size_t pktlen,
Panu Matilainen 8a4b8c 
    pgpDigParams mainkey, pgpDigParams **subkeys,
Panu Matilainen 8a4b8c 
diff --git a/tests/rpmi.at b/tests/rpmi.at
Florian Festi 3913b4 
index 9d74cf689..423d97bca 100644
Panu Matilainen 8a4b8c 
--- a/tests/rpmi.at
Panu Matilainen 8a4b8c 
+++ b/tests/rpmi.at
Florian Festi 3913b4 
@@ -342,7 +342,7 @@ AT_CLEANUP
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
 AT_SETUP([rpm -U <corrupted signed 1>])
Panu Matilainen 8a4b8c 
 AT_KEYWORDS([install])
Panu Matilainen 8a4b8c 
-AT_CHECK([
Panu Matilainen 8a4b8c 
+AT_CHECK_UNQUOTED([
Panu Matilainen 8a4b8c 
 RPMDB_INIT
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
 pkg="hello-2.0-1.x86_64-signed.rpm"
Florian Festi 3913b4 
@@ -355,7 +355,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \
Panu Matilainen 8a4b8c 
 ],
Panu Matilainen 8a4b8c 
 [1],
Panu Matilainen 8a4b8c 
 [],
Panu Matilainen 8a4b8c 
-[error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
Panu Matilainen 8a4b8c 
+[`if test x$PGP = xinternal; then
Panu Matilainen 8a4b8c 
+    echo 'error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
Panu Matilainen 8a4b8c 
+else
Panu Matilainen 8a4b8c 
+    echo 'error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
Panu Matilainen 8a4b8c 
+    echo '  Failed to parse Signature Packet'
Panu Matilainen 8a4b8c 
+    echo '      because: Malformed packet: Subpacket extends beyond the end of the subpacket area)'
Panu Matilainen 8a4b8c 
+fi`
Panu Matilainen 8a4b8c 
 error: /tmp/hello-2.0-1.x86_64-signed.rpm cannot be installed
Panu Matilainen 8a4b8c 
 ])
Panu Matilainen 8a4b8c 
 AT_CLEANUP
Panu Matilainen 8a4b8c 
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
Florian Festi 3913b4 
index 9fb3febc9..df1f669e4 100644
Panu Matilainen 8a4b8c 
--- a/tests/rpmsigdig.at
Panu Matilainen 8a4b8c 
+++ b/tests/rpmsigdig.at
Florian Festi 3913b4 
@@ -386,17 +386,17 @@ AT_CHECK([
Florian Festi 3913b4 
 RPMDB_INIT
Florian Festi 3913b4
Florian Festi 3913b4 
 echo Checking package before importing key:
Florian Festi 3913b4 
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
Florian Festi 3913b4 
 echo Importing key:
Florian Festi 3913b4 
-runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc 2>&1; echo $?
Florian Festi 3913b4 
 echo Checking for key:
Florian Festi 3913b4 
 runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
Florian Festi 3913b4 
 echo Checking package after importing key:
Florian Festi 3913b4 
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
Florian Festi 3913b4 
 echo Checking package after importing key, no digest:
Florian Festi 3913b4 
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
Florian Festi 3913b4 
 echo Checking package after importing key, no signature:
Florian Festi 3913b4 
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
Florian Festi 3913b4 
 ],
Florian Festi 3913b4 
 [0],
Florian Festi 3913b4 
 [[Checking package before importing key:
Florian Festi 3913b4 
@@ -416,6 +416,10 @@ Checking for key:
Florian Festi 3913b4 
 Version     : eb04e625
Florian Festi 3913b4 
 Checking package after importing key:
Florian Festi 3913b4 
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
Florian Festi 3913b4 
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
Florian Festi 3913b4 
+  Key 1F71177215217EE0 invalid: key is not alive
Florian Festi 3913b4 
+      because: The subkey is not live
Florian Festi 3913b4 
+      because: Expired on 2022-04-12T00:00:15Z
Florian Festi 3913b4 
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
Florian Festi 3913b4 
     Header DSA signature: NOTFOUND
Florian Festi 3913b4 
     Header SHA256 digest: OK
Florian Festi 3913b4 
@@ -427,6 +431,10 @@ Checking package after importing key:
Florian Festi 3913b4 
 1
Florian Festi 3913b4 
 Checking package after importing key, no digest:
Florian Festi 3913b4 
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
Florian Festi 3913b4 
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
Florian Festi 3913b4 
+  Key 1F71177215217EE0 invalid: key is not alive
Florian Festi 3913b4 
+      because: The subkey is not live
Florian Festi 3913b4 
+      because: Expired on 2022-04-12T00:00:15Z
Florian Festi 3913b4 
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
Florian Festi 3913b4 
     Header DSA signature: NOTFOUND
Florian Festi 3913b4 
     RSA signature: NOTFOUND
Florian Festi 3913b4 
@@ -455,15 +463,15 @@ RPMDB_INIT
Florian Festi 3913b4 
 echo Checking package before importing key:
Florian Festi 3913b4 
 runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
 echo Importing key:
Florian Festi 3913b4 
-runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc 2>&1; echo $?
Florian Festi 3913b4 
 echo Checking for key:
Florian Festi 3913b4 
 runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
Florian Festi 3913b4 
 echo Checking package after importing key:
Florian Festi 3913b4 
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
Florian Festi 3913b4 
 echo Checking package after importing key, no digest:
Florian Festi 3913b4 
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
Florian Festi 3913b4 
 echo Checking package after importing key, no signature:
Florian Festi 3913b4 
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
Florian Festi 3913b4 
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
Florian Festi 3913b4 
 ],
Florian Festi 3913b4 
 [0],
Florian Festi 3913b4 
 [[Checking package before importing key:
Florian Festi 3913b4 
@@ -483,6 +491,8 @@ Checking for key:
Florian Festi 3913b4 
 Version     : eb04e625
Florian Festi 3913b4 
 Checking package after importing key:
Florian Festi 3913b4 
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
Florian Festi 3913b4 
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
Florian Festi 3913b4 
+  Key 1F71177215217EE0 is invalid: key is revoked
Florian Festi 3913b4 
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
Florian Festi 3913b4 
     Header DSA signature: NOTFOUND
Florian Festi 3913b4 
     Header SHA256 digest: OK
Florian Festi 3913b4 
@@ -494,6 +504,8 @@ Checking package after importing key:
Florian Festi 3913b4 
 1
Florian Festi 3913b4 
 Checking package after importing key, no digest:
Florian Festi 3913b4 
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
Florian Festi 3913b4 
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
Florian Festi 3913b4 
+  Key 1F71177215217EE0 is invalid: key is revoked
Florian Festi 3913b4 
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
Florian Festi 3913b4 
     Header DSA signature: NOTFOUND
Florian Festi 3913b4 
     RSA signature: NOTFOUND
Florian Festi 3913b4 
@@ -740,7 +752,7 @@ AT_CLEANUP
Panu Matilainen 8a4b8c 
 # Test pre-built corrupted package verification (corrupted signature)
Panu Matilainen 8a4b8c 
 AT_SETUP([rpmkeys -Kv <corrupted signed> 1])
Panu Matilainen 8a4b8c 
 AT_KEYWORDS([rpmkeys digest signature])
Panu Matilainen 8a4b8c 
-AT_CHECK([
Panu Matilainen 8a4b8c 
+AT_CHECK_UNQUOTED([
Panu Matilainen 8a4b8c 
 RPMDB_INIT
Panu Matilainen 8a4b8c
Panu Matilainen 8a4b8c 
 pkg="hello-2.0-1.x86_64-signed.rpm"
Florian Festi 3913b4 
@@ -754,14 +766,28 @@ runroot rpmkeys -Kv /tmp/${pkg}
Panu Matilainen 8a4b8c 
 ],
Panu Matilainen 8a4b8c 
 [1],
Panu Matilainen 8a4b8c 
 [/tmp/hello-2.0-1.x86_64-signed.rpm:
Panu Matilainen 8a4b8c 
-    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
Panu Matilainen 8a4b8c 
+`if test x$PGP = xinternal; then
Panu Matilainen 8a4b8c 
+    echo '    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
Panu Matilainen 8a4b8c 
+else
Panu Matilainen 8a4b8c 
+    echo '    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
Panu Matilainen 8a4b8c 
+    echo '  Failed to parse Signature Packet'
Panu Matilainen 8a4b8c 
+    echo '      because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.'
Panu Matilainen 8a4b8c 
+    echo '      because: Malformed MPI: leading bit is not set: expected bit 1 to be set in        0 (0))'
Panu Matilainen 8a4b8c 
+fi`
Panu Matilainen 8a4b8c 
     Header SHA256 digest: OK
Panu Matilainen 8a4b8c 
     Header SHA1 digest: OK
Panu Matilainen 8a4b8c 
     Payload SHA256 digest: OK
Panu Matilainen 8a4b8c 
     V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
Panu Matilainen 8a4b8c 
     MD5 digest: OK
Panu Matilainen 8a4b8c 
 /tmp/hello-2.0-1.x86_64-signed.rpm:
Panu Matilainen 8a4b8c 
-    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
Panu Matilainen 8a4b8c 
+`if test x$PGP = xinternal; then
Panu Matilainen 8a4b8c 
+    echo '    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
Panu Matilainen 8a4b8c 
+else
Panu Matilainen 8a4b8c 
+    echo '    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
Panu Matilainen 8a4b8c 
+    echo '  Failed to parse Signature Packet'
Panu Matilainen 8a4b8c 
+    echo '      because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.'
Panu Matilainen 8a4b8c 
+    echo '      because: Malformed MPI: leading bit is not set: expected bit 1 to be set in        0 (0))'
Panu Matilainen 8a4b8c 
+fi`
Panu Matilainen 8a4b8c 
     Header SHA256 digest: OK
Panu Matilainen 8a4b8c 
     Header SHA1 digest: OK
Panu Matilainen 8a4b8c 
     Payload SHA256 digest: OK
Panu Matilainen 8a4b8c 
--
Florian Festi 3913b4 
2.40.1
Panu Matilainen 8a4b8c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation