From 8fefd2bd21b30996ad0748eab6baadf915610642 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 13 Aug 2020 13:29:10 +0300
Subject: [PATCH] Work around buggy signature region preventing resigning
 (RhBug:1851508)

Various proprietary packages in the wild have subtly malformed data
in the signature header, in particular wrt the immutable region size,
presumably from using some in-house/3rd party signing tools which do
not understand the immutable region business at all. This can prevent
resigning and signature deletion on such packages due to the more
thorough checking that rpmsign does.

As the old wisdom goes, be liberal in what you accept... we can easily
work around the crud by just taking a fresh copy of the contents that
are legit as such (otherwise the package would be uninstallable).


Adjusted for 4.14.3

--- rpm-4.14.3/sign/rpmgensig.c.orig	2020-10-29 16:00:38.785229048 +0100
+++ rpm-4.14.3/sign/rpmgensig.c	2020-10-29 16:08:55.997791345 +0100
@@ -401,12 +401,19 @@
 
     if (headerGet(*hdrp, tag, utd, HEADERGET_DEFAULT)) {
 	oh = headerCopyLoad(utd->data);
-	nh = headerCopy(oh);
-	headerFree(oh);
 	rpmtdFreeData(utd);
+    } else {
+	/* XXX should we warn if the immutable region is corrupt/missing? */
+	oh = headerLink(*hdrp);
+    }
+
+    if (oh) {
+	/* Perform a copy to eliminate crud from buggy signing tools etc */
+	nh = headerCopy(oh);
 	headerFree(*hdrp);
 	*hdrp = headerLink(nh);
 	headerFree(nh);
+	headerFree(oh);
     }
 }