teknoraver / rpms / rpm

Forked from rpms/rpm 3 months ago
Clone

Blame SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch

377311
From 82c53e4b7f720012a391d8f6e5da9ee3c4f22bed Mon Sep 17 00:00:00 2001
377311
From: Demi Marie Obenour <demi@invisiblethingslab.com>
377311
Date: Thu, 6 May 2021 18:34:45 -0400
377311
Subject: [PATCH] Validate and require subkey binding signatures on PGP public
377311
 keys
377311
377311
All subkeys must be followed by a binding signature by the primary key
377311
as per the OpenPGP RFC, enforce the presence and validity in the parser.
377311
377311
The implementation is as kludgey as they come to work around our
377311
simple-minded parser structure without touching API, to maximise
377311
backportability. Store all the raw packets internally as we decode them
377311
to be able to access previous elements at will, needed to validate ordering
377311
and access the actual data. Add testcases for manipulated keys whose
377311
import previously would succeed.
377311
377311
Combined with:
377311
5ff86764b17f31535cb247543a90dd739076ec38
377311
b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
377311
9f03f42e2614a68f589f9db8fe76287146522c0c
377311
b6dffb6dc5ffa2ddc389743f0507876cab341315 (mem-leak fix)
377311
ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 (use-after-free fix)
377311
377311
Fixes CVE-2021-3521.
377311
---
377311
 rpmio/rpmpgp.c                                | 122 +++++++++++++++---
377311
 sign/rpmgensig.c                              |   2 +-
377311
 tests/Makefile.am                             |   3 +
377311
 tests/data/keys/CVE-2021-3521-badbind.asc     |  25 ++++
377311
 .../data/keys/CVE-2021-3521-nosubsig-last.asc |  25 ++++
377311
 tests/data/keys/CVE-2021-3521-nosubsig.asc    |  37 ++++++
377311
 tests/rpmsigdig.at                            |  28 ++++
377311
 7 files changed, 224 insertions(+), 18 deletions(-)
377311
 create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
377311
 create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
377311
 create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
377311
377311
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
377311
index 46cd0f31a..bd4992ec7 100644
377311
--- a/rpmio/rpmpgp.c
377311
+++ b/rpmio/rpmpgp.c
377311
@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
377311
     return NULL;
377311
 }
377311
 
377311
-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
377311
+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
377311
 		const uint8_t *p, const uint8_t *h, size_t hlen,
377311
 		pgpDigParams sigp)
377311
 {
377311
@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
377311
 	int mpil = pgpMpiLen(p);
377311
 	if (p + mpil > pend)
377311
 	    break;
377311
-	if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
377311
-	    if (sigalg->setmpi(sigalg, i, p))
377311
-		break;
377311
-	}
377311
+	if (sigalg->setmpi(sigalg, i, p))
377311
+	    break;
377311
 	p += mpil;
377311
     }
377311
 
377311
@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
377311
 	}
377311
 
377311
 	p = ((uint8_t *)v) + sizeof(*v);
377311
-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
377311
+	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
377311
     }	break;
377311
     case 4:
377311
     {   pgpPktSigV4 v = (pgpPktSigV4)h;
377311
@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
377311
 	if (p > (h + hlen))
377311
 	    return 1;
377311
 
377311
-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
377311
+	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
377311
     }	break;
377311
     default:
377311
 	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
377311
@@ -999,36 +997,127 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
377311
     return algo;
377311
 }
377311
 
377311
+static pgpDigParams pgpDigParamsNew(uint8_t tag)
377311
+{
377311
+    pgpDigParams digp = xcalloc(1, sizeof(*digp));
377311
+    digp->tag = tag;
377311
+    return digp;
377311
+}
377311
+
377311
+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
377311
+{
377311
+    int rc = -1;
377311
+    if (pkt->tag == exptag) {
377311
+	uint8_t head[] = {
377311
+	    0x99,
377311
+	    (pkt->blen >> 8),
377311
+	    (pkt->blen     ),
377311
+	};
377311
+
377311
+	rpmDigestUpdate(hash, head, 3);
377311
+	rpmDigestUpdate(hash, pkt->body, pkt->blen);
377311
+	rc = 0;
377311
+    }
377311
+    return rc;
377311
+}
377311
+
377311
+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
377311
+			const struct pgpPkt *all, int i)
377311
+{
377311
+    int rc = -1;
377311
+    DIGEST_CTX hash = NULL;
377311
+
377311
+    switch (selfsig->sigtype) {
377311
+    case PGPSIGTYPE_SUBKEY_BINDING:
377311
+	hash = rpmDigestInit(selfsig->hash_algo, 0);
377311
+	if (hash) {
377311
+	    rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
377311
+	    if (!rc)
377311
+		rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
377311
+	}
377311
+	break;
377311
+    default:
377311
+	/* ignore types we can't handle */
377311
+	rc = 0;
377311
+	break;
377311
+    }
377311
+
377311
+    if (hash && rc == 0)
377311
+	rc = pgpVerifySignature(key, selfsig, hash);
377311
+
377311
+    rpmDigestFinal(hash, NULL, NULL, 0);
377311
+
377311
+    return rc;
377311
+}
377311
+
377311
 int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
377311
 		 pgpDigParams * ret)
377311
 {
377311
     const uint8_t *p = pkts;
377311
     const uint8_t *pend = pkts + pktlen;
377311
     pgpDigParams digp = NULL;
377311
-    struct pgpPkt pkt;
377311
+    pgpDigParams selfsig = NULL;
377311
+    int i = 0;
377311
+    int alloced = 16; /* plenty for normal cases */
377311
+    struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
377311
     int rc = -1; /* assume failure */
377311
+    int expect = 0;
377311
+    int prevtag = 0;
377311
 
377311
     while (p < pend) {
377311
-	if (decodePkt(p, (pend - p), &pkt))
377311
+	struct pgpPkt *pkt = &all[i];
377311
+	if (decodePkt(p, (pend - p), pkt))
377311
 	    break;
377311
 
377311
 	if (digp == NULL) {
377311
-	    if (pkttype && pkt.tag != pkttype) {
377311
+	    if (pkttype && pkt->tag != pkttype) {
377311
 		break;
377311
 	    } else {
377311
-		digp = xcalloc(1, sizeof(*digp));
377311
-		digp->tag = pkt.tag;
377311
+		digp = pgpDigParamsNew(pkt->tag);
377311
 	    }
377311
 	}
377311
 
377311
-	if (pgpPrtPkt(&pkt, digp))
377311
+	if (expect) {
377311
+	    if (pkt->tag != expect)
377311
+		break;
377311
+	    selfsig = pgpDigParamsNew(pkt->tag);
377311
+	}
377311
+
377311
+	if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
377311
 	    break;
377311
 
377311
-	p += (pkt.body - pkt.head) + pkt.blen;
377311
+	if (selfsig) {
377311
+	    /* subkeys must be followed by binding signature */
377311
+	    int xx = 1; /* assume failure */
377311
+
377311
+	    if (!(prevtag == PGPTAG_PUBLIC_SUBKEY &&
377311
+		  selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING))
377311
+		xx = pgpVerifySelf(digp, selfsig, all, i);
377311
+
377311
+	    selfsig = pgpDigParamsFree(selfsig);
377311
+	    if (xx)
377311
+		break;
377311
+	    expect = 0;
377311
+	}
377311
+
377311
+	if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
377311
+	    expect = PGPTAG_SIGNATURE;
377311
+	prevtag = pkt->tag;
377311
+
377311
+	i++;
377311
+	p += (pkt->body - pkt->head) + pkt->blen;
377311
+	if (pkttype == PGPTAG_SIGNATURE)
377311
+	    break;
377311
+
377311
+	if (alloced <= i) {
377311
+	    alloced *= 2;
377311
+	    all = xrealloc(all, alloced * sizeof(*all));
377311
+	}
377311
     }
377311
 
377311
-    rc = (digp && (p == pend)) ? 0 : -1;
377311
+    rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
377311
 
377311
+    free(all);
377311
     if (ret && rc == 0) {
377311
 	*ret = digp;
377311
     } else {
377311
@@ -1063,8 +1152,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
377311
 		digps = xrealloc(digps, alloced * sizeof(*digps));
377311
 	    }
377311
 
377311
-	    digps[count] = xcalloc(1, sizeof(**digps));
377311
-	    digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
377311
+	    digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
377311
 	    /* Copy UID from main key to subkey */
377311
 	    digps[count]->userid = xstrdup(mainkey->userid);
377311
 
377311
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
377311
index 771d01098..b33fe996c 100644
377311
--- a/sign/rpmgensig.c
377311
+++ b/sign/rpmgensig.c
377311
@@ -409,7 +409,7 @@ static int haveSignature(rpmtd sigtd, Header h)
377311
 	pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2;;
377311
 	if (pgpDigParamsCmp(sig1, sig2) == 0)
377311
 	    rc = 1;
377311
-	pgpDigParamsFree(sig2);
377311
+	sig2 = pgpDigParamsFree(sig2);
377311
     }
377311
     pgpDigParamsFree(sig1);
377311
     rpmtdFreeData(&oldtd);
377311
diff --git a/tests/Makefile.am b/tests/Makefile.am
377311
index 5f5207e56..309347262 100644
377311
--- a/tests/Makefile.am
377311
+++ b/tests/Makefile.am
377311
@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
377311
 EXTRA_DIST += data/SPECS/hello-cd.spec
377311
 EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
377311
 EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
377311
+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
377311
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
377311
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
377311
 EXTRA_DIST += data/macros.testfile
377311
 
377311
 # testsuite voodoo
377311
diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
377311
new file mode 100644
377311
index 000000000..aea00f9d7
377311
--- /dev/null
377311
+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
377311
@@ -0,0 +1,25 @@
377311
+-----BEGIN PGP PUBLIC KEY BLOCK-----
377311
+Version: rpm-4.17.90 (NSS-3)
377311
+
377311
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
377311
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
377311
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
377311
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
377311
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
377311
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
377311
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
377311
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
377311
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
377311
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
377311
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
377311
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
377311
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
377311
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
377311
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
377311
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
377311
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
377311
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
377311
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
377311
+=WCfs
377311
+-----END PGP PUBLIC KEY BLOCK-----
377311
+
377311
diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
377311
new file mode 100644
377311
index 000000000..aea00f9d7
377311
--- /dev/null
377311
+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
377311
@@ -0,0 +1,25 @@
377311
+-----BEGIN PGP PUBLIC KEY BLOCK-----
377311
+Version: rpm-4.17.90 (NSS-3)
377311
+
377311
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
377311
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
377311
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
377311
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
377311
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
377311
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
377311
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
377311
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
377311
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
377311
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
377311
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
377311
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
377311
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
377311
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
377311
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
377311
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
377311
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
377311
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
377311
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
377311
+=WCfs
377311
+-----END PGP PUBLIC KEY BLOCK-----
377311
+
377311
diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
377311
new file mode 100644
377311
index 000000000..3a2e7417f
377311
--- /dev/null
377311
+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
377311
@@ -0,0 +1,37 @@
377311
+-----BEGIN PGP PUBLIC KEY BLOCK-----
377311
+Version: rpm-4.17.90 (NSS-3)
377311
+
377311
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
377311
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
377311
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
377311
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
377311
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
377311
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
377311
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
377311
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
377311
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
377311
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
377311
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
377311
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
377311
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
377311
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
377311
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
377311
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
377311
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
377311
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
377311
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
377311
+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
377311
+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
377311
+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
377311
+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
377311
+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
377311
+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
377311
+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
377311
+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
377311
+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
377311
+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
377311
+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
377311
+E4XX4jtDmdZPreZALsiB
377311
+=rRop
377311
+-----END PGP PUBLIC KEY BLOCK-----
377311
+
377311
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
377311
index 09fcdd525..a74f400ae 100644
377311
--- a/tests/rpmsigdig.at
377311
+++ b/tests/rpmsigdig.at
377311
@@ -212,6 +212,34 @@ UNW2iqnN3BA7guhOv6OMiROF1+I7Q5nWT63mQC7IgQ==
377311
 [])
377311
 AT_CLEANUP
377311
 
377311
+AT_SETUP([rpmkeys --import invalid keys])
377311
+AT_KEYWORDS([rpmkeys import])
377311
+RPMDB_INIT
377311
+
377311
+AT_CHECK([
377311
+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
377311
+],
377311
+[1],
377311
+[],
377311
+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
377311
+)
377311
+AT_CHECK([
377311
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
377311
+],
377311
+[1],
377311
+[],
377311
+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
377311
+)
377311
+
377311
+AT_CHECK([
377311
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
377311
+],
377311
+[1],
377311
+[],
377311
+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
377311
+)
377311
+AT_CLEANUP
377311
+
377311
 # ------------------------------
377311
 # Test pre-built package verification
377311
 AT_SETUP([rpmkeys -K <signed> 1])
377311
-- 
377311
2.34.1
377311