From f109c57ab18d8b1a80e707df3c3f7ad8930bdd42 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Tue, 27 Apr 2021 21:07:19 -0400
Subject: [PATCH] Pass the package to rpmkeys stdin
This avoids having to compute the expected stdout value, which will
always be the constant "-: digests signatures OK\n".
---
dnf/rpm/miscutils.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
index 7e33d4c4..5f2621c2 100644
--- a/dnf/rpm/miscutils.py
+++ b/dnf/rpm/miscutils.py
@@ -29,7 +29,8 @@ from shutil import which
logger = logging.getLogger('dnf')
-def _verifyPkgUsingRpmkeys(package, installroot):
+def _verifyPkgUsingRpmkeys(package, installroot, fdno):
+ os.lseek(fdno, 0, os.SEEK_SET)
rpmkeys_binary = '/usr/bin/rpmkeys'
if not os.path.isfile(rpmkeys_binary):
rpmkeys_binary = which("rpmkeys")
@@ -40,15 +41,16 @@ def _verifyPkgUsingRpmkeys(package, installroot):
logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
return 0
- args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '--', package)
+ args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '-')
with subprocess.Popen(
args=args,
executable=rpmkeys_binary,
env={'LC_ALL': 'C'},
+ stdin=fdno,
stdout=subprocess.PIPE,
cwd='/') as p:
data, err = p.communicate()
- if p.returncode != 0 or data != (package.encode('ascii', 'strict') + b': digests signatures OK\n'):
+ if p.returncode != 0 or data != b'-: digests signatures OK\n':
return 0
else:
return 1
@@ -85,7 +87,7 @@ def checkSig(ts, package):
if siginfo == '(none)':
value = 4
- elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir):
+ elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir, fdno):
value = 0
else:
raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo)
--
2.35.1