From a654ea1b9c9b83a89883fd1691fc640a58fd3bec Mon Sep 17 00:00:00 2001 From: Florian Festi Date: Jun 29 2022 06:56:02 +0000 Subject: Give warning on not supported hash for RSA keys Resolves: #2069877 --- diff --git a/0001-Give-error-message-for-failed-PGP-key-import.patch b/0001-Give-error-message-for-failed-PGP-key-import.patch deleted file mode 100644 index c3ae790..0000000 --- a/0001-Give-error-message-for-failed-PGP-key-import.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b105f03f956e6e1523df2ac3fffc86b924fd6e1b Mon Sep 17 00:00:00 2001 -From: Florian Festi -Date: Thu, 16 Jun 2022 14:29:01 +0200 -Subject: [PATCH] Give error message for failed PGP key import - -due to missing SHA1 support ---- - rpmio/rpmpgp.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c -index d0688ebe9..71f8ed192 100644 ---- a/rpmio/rpmpgp.c -+++ b/rpmio/rpmpgp.c -@@ -860,6 +860,7 @@ int pgpPubkeyFingerprint(const uint8_t *h, size_t hlen, - *fplen = dlen; - } else { - free(d); -+ rpmlog(RPMLOG_ERR, _("Failed calculating fingerprint of public key. SHA1 not supported.\n")); - } - } - --- -2.36.1 - diff --git a/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch b/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch new file mode 100644 index 0000000..24a7326 --- /dev/null +++ b/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch @@ -0,0 +1,40 @@ +From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Tue, 28 Jun 2022 12:50:54 +0200 +Subject: [PATCH] Give warning on not supported hash for RSA keys + +This can happen when old keys are used on systems that have disabled SHA1 +e.g. for FIPS requirements. + +This is less than ideal but there is currently no way to pass a meaningful +error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key +or NULL. + +See rhbz#2069877 +--- + rpmio/digest_openssl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index a28a13acc..2ec5140f1 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + #include "rpmio/digest.h" + +@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, + + ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo)); + if (ret < 0) { ++ rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo)); + rc = 1; + goto done; + } +-- +2.36.1 + diff --git a/rpm.spec b/rpm.spec index 77b0ac7..14e9bf2 100644 --- a/rpm.spec +++ b/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 13 +%global rel 14 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -87,7 +87,7 @@ Patch113: rpm-4.16.1.3-fix-spurious-transfiletriggerpostun-execution.patch Patch906: rpm-4.7.1-geode-i686.patch # Probably to be upstreamed in slightly different form Patch907: rpm-4.15.x-ldflags.patch -Patch908: 0001-Give-error-message-for-failed-PGP-key-import.patch +Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch # Not yet (all) upstream, debugedit DWARF5 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2 @@ -612,8 +612,8 @@ fi %doc doc/librpm/html/* %changelog -* Thu Jun 16 2022 Florian Festi - 4.16.1.3-13 -- Error message for failed key import (#2069877) +* Tue Jun 28 2022 Florian Festi - 4.16.1.3-14 +- Warning for failed key import (#2069877) * Tue Apr 05 2022 Michal Domonkos - 4.16.1.3-12 - Fix minor ABI regression in rpmcli.h (#2037352)