From 46c0694ce0b9a2fe357403c998d30ec807e07015 Mon Sep 17 00:00:00 2001

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Tue, 15 Mar 2022 10:22:49 +0000

Subject: [PATCH] daemon/rpm-c.c: Disable signature checking in librpm

Older distros (eg CentOS 6) used SHA-1 RPM package signatures which

some newer distros (eg RHEL 9.0) prevent us from verifying.

This resulted in packages with SHA-1 signatures being skipped by

librpm (there is a warning in debug output, but if you're not looking

at that then the package is silently ignored).  In some cases

essential packages like the kernel were skipped, which would be

visible as a failure of virt-v2v.  In other cases (eg virt-inspector)

you'd just see fewer installed packages in the <applications> list.

Since verifying package signatures is not essential for inspection,

disable this feature in librpm.

Reported-by: Xiaodai Wang

Thanks: Panu Matilainen

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2064182

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>

(cherry picked from commit aa6f8038f826bfb37ddbbb575e6962e1e181c5e8)

---

 daemon/rpm-c.c | 5 +++++

 1 file changed, 5 insertions(+)

diff --git a/daemon/rpm-c.c b/daemon/rpm-c.c

index be0e81e22..020fc588e 100644

--- a/daemon/rpm-c.c

+++ b/daemon/rpm-c.c

@@ -90,7 +90,12 @@ value

 guestfs_int_daemon_rpm_start_iterator (value unitv)

 {

   CAMLparam1 (unitv);

+

   ts = rpmtsCreate ();

+

+  /* Disable signature checking (RHBZ#2064182). */

+  rpmtsSetVSFlags (ts, rpmtsVSFlags (ts) | RPMVSF_MASK_NOSIGNATURES);

+

   iter = rpmtsInitIterator (ts, RPMDBI_PACKAGES, NULL, 0);

   CAMLreturn (Val_unit);

 }

-- 

2.31.1