From a8221a05b6f6f7e96084c9ac6995ebcb1f90027f Mon Sep 17 00:00:00 2001 From: Coiby Xu Date: Thu, 30 Oct 2025 08:59:51 +0800 Subject: [PATCH] Use RSAHEADER to tell if a package has been signed Relates: https://issues.redhat.com/browse/RHEL-92638 Conflict: None commit 47853f2cf6575812d28093b750be2f2e897c153d Author: Coiby Xu Date: Thu Oct 16 17:29:52 2025 +0800 Use RSAHEADER to tell if a package has been signed Packages now use RPM v4 signature %{RSAHEADER}. %{SIGPGP} is the name of the RPM v3 header+payload signature and can't be used to tell if a package has been signed, # uname -r 6.16.10-200.fc42.x86_64 # rpm -q --queryformat "%{SIGPGP:pgpsig}\n" --all|grep -c "^(none)$" 586 # rpm -q --queryformat "%{RSAHEADER}\n" --all|grep -c "^(none)$" 5 Signed-off-by: Coiby Xu Signed-off-by: Coiby Xu --- ima-add-sigs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ima-add-sigs.sh b/ima-add-sigs.sh index 6be5c48..f0e9dd0 100755 --- a/ima-add-sigs.sh +++ b/ima-add-sigs.sh @@ -132,7 +132,7 @@ if [[ -z $reinstall_threshold ]]; then fi fi -unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$") +unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{RSAHEADER}\n" "$package" | grep -c "^(none)$") if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then add_by_reinstall