72 lines
2.5 KiB
Diff
72 lines
2.5 KiB
Diff
From 49feb2253d2376d154a5ff5bfb58ec65c2072b63 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
Date: Tue, 14 Nov 2023 12:30:06 +0100
|
|
Subject: [PATCH 1/3] DNS key verification: Fix parsing an armored PGP key
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
A PGP armor message can contain any amount of headers. Up to Fedora 38
|
|
there was one:
|
|
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
Version: rpm-4.18.0-beta1
|
|
|
|
mQINBGIC2cYBEADJye1aE0AR17qwj6wsHWlCQlcihmqkL8s4gbOk1IevBbH4iXJx
|
|
[...]
|
|
=CHKS
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
Since Fedora 39 there is none:
|
|
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mQINBGLykg8BEADURjKtgQpQNoluifXia+U3FuqGCTQ1w7iTqx1UvNhLX6tb9Qjy
|
|
l/vjl1iXxucrd2JBnrT/21BdtaABhu2hPy7bpcGEkG8MDinAMZBzcyzHcS/JiGHZ
|
|
[...]
|
|
=CHKS
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
RpmImportedKeys._query_db_for_gpg_keys() assumed exactly one header.
|
|
As a result if gpgkey_dns_verification configuration option was true,
|
|
DNF reported that Fedora 39 keys was revoked because the key
|
|
misextratracted from RPM database did not match a key in DNS:
|
|
|
|
# dnf-3 upgrade
|
|
DNSSEC extension: Testing already imported keys for their validity.
|
|
DNSSEC extension: GPG Key fedora-39-primary@fedoraproject.org has been revoked and should be removed immediately
|
|
|
|
This patch implements skipping all armor headers.
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=2249380
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
dnf/dnssec.py | 11 ++++++++++-
|
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/dnf/dnssec.py b/dnf/dnssec.py
|
|
index a559853d..ba5b80c7 100644
|
|
--- a/dnf/dnssec.py
|
|
+++ b/dnf/dnssec.py
|
|
@@ -275,7 +275,16 @@ class RpmImportedKeys:
|
|
packager = dnf.rpm.getheader(pkg, 'packager')
|
|
email = re.search('<(.*@.*)>', packager).group(1)
|
|
description = dnf.rpm.getheader(pkg, 'description')
|
|
- key_lines = description.split('\n')[3:-3]
|
|
+ # Extract Radix-64-encoded PGP key. Without armor headers and
|
|
+ # a checksum.
|
|
+ key_lines = []
|
|
+ in_headers = True
|
|
+ for line in description.split('\n')[0:-3]:
|
|
+ if in_headers:
|
|
+ if re.match(r'\A\s*\Z', line, re.NOFLAG):
|
|
+ in_headers = False
|
|
+ else:
|
|
+ key_lines.append(line)
|
|
key_str = ''.join(key_lines)
|
|
return_list += [KeyInfo(email, key_str.encode('ascii'))]
|
|
|
|
--
|
|
2.42.0
|
|
|