import CS dnf-plugins-core-4.3.0-26.el9

SOURCES/0025-multisig-Rename-dnf4-multisig-8-manual-page-to-dnf-m.patch

@@ -0,0 +1,78 @@
+From e1aebc68eb031f3e91ed39a0b145589f1a4a1734 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 3 Oct 2025 12:23:11 +0200
+Subject: [PATCH] multisig: Rename dnf4-multisig(8) manual page to
+ dnf-multisig(8)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+To align with all other plugin manual pages.
+Create dnf4-multisig(8) symlink for compatibility.
+
+FILE(CREATE_LINK) is available since cmake 3.14.
+
+Resolve: https://issues.redhat.com/browse/RHEL-117134
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ CMakeLists.txt        | 2 +-
+ dnf-plugins-core.spec | 2 +-
+ doc/CMakeLists.txt    | 4 ++++
+ doc/conf.py           | 2 +-
+ 4 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index a1eea7b..86225e7 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1,5 +1,5 @@
+ PROJECT (dnf-plugins-core NONE)
+-CMAKE_MINIMUM_REQUIRED (VERSION 2.4)
++CMAKE_MINIMUM_REQUIRED (VERSION 3.14)
+ 
+ if (NOT WITHOUT_LOCAL)
+     set (WITHOUT_LOCAL "0")
+diff --git a/dnf-plugins-core.spec b/dnf-plugins-core.spec
+index cb3b1b8..ff6beea 100644
+--- a/dnf-plugins-core.spec
++++ b/dnf-plugins-core.spec
+@@ -40,7 +40,7 @@ License:        GPLv2+
+ URL:            https://github.com/rpm-software-management/dnf-plugins-core
+ Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+ BuildArch:      noarch
+-BuildRequires:  cmake
++BuildRequires:  cmake >= 3.14
+ BuildRequires:  gettext
+ # Documentation
+ %if %{with python3}
+diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
+index 297506a..75e74bb 100644
+--- a/doc/CMakeLists.txt
++++ b/doc/CMakeLists.txt
+@@ -48,6 +48,10 @@ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/dnf-migrate.8
+ endif()
+ 
+ if (${PYTHON_VERSION_MAJOR} STREQUAL "3")
++INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/dnf-multisig.8
++        DESTINATION share/man/man8)
++FILE(CREATE_LINK dnf-multisig.8 ${CMAKE_CURRENT_BINARY_DIR}/dnf4-multisig.8
++        SYMBOLIC)
+ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/dnf4-multisig.8
+         DESTINATION share/man/man8)
+ endif()
+diff --git a/doc/conf.py b/doc/conf.py
+index 2845d18..225ae5f 100644
+--- a/doc/conf.py
++++ b/doc/conf.py
+@@ -301,7 +301,7 @@ if sys.version_info[0] < 3:
+     man_pages.append(('migrate', 'dnf-migrate', u'DNF migrate Plugin', AUTHORS, 8))
+ 
+ if sys.version_info[0] == 3:
+-    man_pages.append(('multisig', 'dnf4-multisig', u'DNF multisig Plugin', AUTHORS, 8))
++    man_pages.append(('multisig', 'dnf-multisig', u'DNF multisig Plugin', AUTHORS, 8))
+ 
+ # If true, show URL addresses after external links.
+ #man_show_urls = False
+-- 
+2.51.0
+

SOURCES/0026-versionlock-Document-that-local-packages-are-not-aff.patch

@@ -0,0 +1,36 @@
+From c3ddd35dc52d504b8c2875fccaf2559a02ca1a77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 1 Dec 2025 17:40:46 +0100
+Subject: [PATCH] versionlock: Document that local packages are not affected
+
+Upstream commit: fa966d83e340c5df12942656da0f8c5c66eac556
+
+Local packages are added to a sack after the versionlock plugin logic
+runs, so the plugin cannot exclude them from an installation.
+
+This patch documents this deficiency.
+
+Resolve: #585
+Resolve: https://issues.redhat.com/browse/RHEL-94014
+Resolve: https://issues.redhat.com/browse/RHEL-94828
+---
+ doc/versionlock.rst | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/doc/versionlock.rst b/doc/versionlock.rst
+index 1ac7196..c4a931c 100644
+--- a/doc/versionlock.rst
++++ b/doc/versionlock.rst
+@@ -47,6 +47,9 @@ excludes a package that matches the version exactly.
+ Note the versionlock plugin does not apply any excludes in non-transactional
+ operations like `repoquery`, `list`, `info`, etc.
+ 
++Note that the versionlock plugin only applies to in-repository packages.
++Packages passed on the DNF command line as local files won't be affected.
++
+ --------
+ Synopsis
+ --------
+-- 
+2.52.0
+

SOURCES/0027-multisig-Ignore-untrusted-signatures-if-there-is-tru.patch

@@ -0,0 +1,92 @@
+From d5845419b417241436d5104e352e6891f1a4ceac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 30 Jan 2026 17:13:55 +0100
+Subject: [PATCH] multisig: Ignore untrusted signatures if there is trusted one
+
+Ported from dnf commit: 00fef9ad0d761eccf8d86580e031f442af9cd8ef
+
+With RPMv6 signatures, there can be multiple signatures attached to
+a single package. If some signatures are made with an algorithm
+disabled in a system-wide crypto policy (e.g. rsa4096 = "never" in
+/etc/crypto-policies/back-ends/rpm-sequoia.config), but other
+signatures are valid and trusted, so that the package is overall
+correctly signed:
+
+    # /usr/lib/pqrpm/bin/rpmkeys -v -K ./foo-0-1.fc43.noarch.rpm; echo $?
+    ./foo-0-1.fc43.noarch.rpm:
+	Header V4 EdDSA/SHA512 Signature, key ID e2b145f3: OK
+	Header V4 RSA/SHA512 Signature, key ID b5e56945: NOTTRUSTED
+	Header SHA256 digest: OK
+	Header SHA1 digest: OK
+	Payload SHA256 digest: OK
+    0
+
+DNF failed like this:
+
+    [...]
+    Is this ok [y/N]: y
+    Downloading Packages:
+    Running transaction check
+    Transaction check succeeded.
+    Running transaction test
+    Transaction test succeeded.
+    norsa                                                                  1.6 MB/s | 1.6 kB     00:00
+    Importing GPG keys from: /root/repos/norsa/rsa.key
+    Is this ok [y/N]: y
+    Key import failed. Failing package is: foo-0-1.fc43.noarch
+     GPG Keys are configured as: file:///root/repos/norsa/rsa.key, file:///root/repos/norsa/eddsa.key
+    Error: GPG check FAILED
+
+The cause was that an output of pqrpm's "rpmkeys -v -K" tool executed
+indirectly by Multisig plugin was incorrectly parsed in
+_process_rpm_output() function. That function assumed that only one
+signature can exist and reported on any NOTTRUSTED record that the
+package is not trustfully signed.
+
+As a result, the plugin attempted to (re)import all the signing keys. But
+importing a key with the disabled algorithm failed and DNF errored.
+
+This patch fixes parsing the rpmkeys output to ignore all untrusted
+signatures if there is at least one signature trusted.
+
+Resolve: https://issues.redhat.com/browse/RHEL-145372
+---
+ plugins/multisig.py | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/plugins/multisig.py b/plugins/multisig.py
+index f29e41f..b05704c 100644
+--- a/plugins/multisig.py
++++ b/plugins/multisig.py
+@@ -55,7 +55,7 @@ class MultiSig(dnf.Plugin):
+         # last newline.
+         if len(data) < 3 or data[0] != b'-:' or data[-1]:
+             return 2
+-        seen_sig, missing_key, not_trusted, not_signed = False, False, False, False
++        trusted_sig, missing_key, not_trusted, not_signed = False, False, False, False
+         for i in data[1:-1]:
+             if b': BAD' in i:
+                 return 2
+@@ -65,12 +65,16 @@ class MultiSig(dnf.Plugin):
+                 not_trusted = True
+             elif i.endswith(b': NOTFOUND'):
+                 not_signed = True
++            # Some rpmkeys versions print Signature, some signature, accept both.
++            elif i.endswith(b': OK') and b'ignature,' in i:
++                trusted_sig = True
+             elif not i.endswith(b': OK'):
+                 return 2
+-        if not_trusted:
+-            return 3
+-        elif missing_key:
++        if missing_key:
+             return 1
++        elif not trusted_sig and not_trusted:
++            # Do not report untrusted signatures if there is a trusted one
++            return 3
+         elif not_signed:
+             return 4
+         # we still check return code, so this is safe
+-- 
+2.53.0
+

SPECS/dnf-plugins-core.spec

@@ -34,7 +34,7 @@
 
 Name:           dnf-plugins-core
 Version:        4.3.0
-Release:        23%{?dist}
+Release:        26%{?dist}
 Summary:        Core Plugins for DNF
 License:        GPLv2+
 URL:            https://github.com/rpm-software-management/dnf-plugins-core
@@ -60,9 +60,12 @@ Patch21:        0021-dnf-copr-enable-on-Asahi-Fedora-Linux-Remix-guesses.patch
 Patch22:        0022-reposync-Avoid-multiple-downloads-of-duplicate-packa.patch
 Patch23:        0023-multisig-A-new-plugin-for-verifying-extraordinary-RP.patch
 Patch24:        0024-multisig-Do-not-parse-OpenPGP-keys.patch
+Patch25:        0025-multisig-Rename-dnf4-multisig-8-manual-page-to-dnf-m.patch
+Patch26:        0026-versionlock-Document-that-local-packages-are-not-aff.patch
+Patch27:        0027-multisig-Ignore-untrusted-signatures-if-there-is-tru.patch
 
 BuildArch:      noarch
-BuildRequires:  cmake
+BuildRequires:  cmake >= 3.14
 BuildRequires:  gettext
 # Documentation
 %if %{with python3}
@@ -826,6 +829,15 @@ ln -sf %{_mandir}/man1/%{yum_utils_subpackage_name}.1.gz %{buildroot}%{_mandir}/
 %endif
 
 %changelog
+* Wed Feb 11 2026 Petr Pisar <ppisar@redhat.com> - 4.3.0-26
+- Multisig: ignore untrusted signatures if there is trusted one (RHEL-145372)
+
+* Tue Dec 02 2025 Petr Pisar <ppisar@redhat.com> - 4.3.0-25
+- Document that local packages are not affected by versionlock (RHEL-94014)
+
+* Fri Oct 03 2025 Petr Pisar <ppisar@redhat.com> - 4.3.0-24
+- Rename dnf4-multisig(8) manual page to dnf-multisig(8) (RHEL-117134)
+
 * Mon Sep 15 2025 Petr Pisar <ppisar@redhat.com> - 4.3.0-23
 - Fix importing OpenPGPv6 keys (RHEL-114424)