diff --git a/SOURCES/dnf-keyring-support-multiple-keys.patch b/SOURCES/dnf-keyring-support-multiple-keys.patch new file mode 100644 index 0000000..1c425df --- /dev/null +++ b/SOURCES/dnf-keyring-support-multiple-keys.patch @@ -0,0 +1,228 @@ +From 5b87a29c78fe7b3fce8ac167a1a650449d25f54c Mon Sep 17 00:00:00 2001 +From: Dmitriy Popov +Date: Wed, 1 May 2024 23:16:47 +0300 +Subject: [PATCH] dnf-keyring-support-multiple-keys + +Since it is known from the bug (and practically proven) that "rpm --import" +is capable of supporting multiple containers in one file, unlike the internal +implementation, due to the need to globally rewrite the structure of parameters. + +https://github.com/rpm-software-management/rpm/pull/2242 +"This does not affect rpmkeys --import because it explicitly checks +for multiple PGPTAG_PUBLIC_KEY packets and imports them separately" + +The patch implies the logic of the cli rpmcliImportPubkeys +in dnf_keyring_add_public_key, except that instead of direct import, +it continues to expand the keyring as before, and then imports it, +making this change atomic. + +Signed-off-by: Dmitriy Popov +--- + libdnf/dnf-keyring.cpp | 167 +++++++++++++++++++++++------------------ + 1 file changed, 96 insertions(+), 71 deletions(-) + +diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp +index 62a6248..f4afd35 100644 +--- a/libdnf/dnf-keyring.cpp ++++ b/libdnf/dnf-keyring.cpp +@@ -62,13 +62,16 @@ dnf_keyring_add_public_key(rpmKeyring keyring, + gboolean ret = TRUE; + int rc; + gsize len; +- pgpArmor armor; + pgpDig dig = NULL; + rpmPubkey pubkey = NULL; + rpmPubkey *subkeys = NULL; + int nsubkeys = 0; + uint8_t *pkt = NULL; + g_autofree gchar *data = NULL; ++ char const * const pgpmark = "-----BEGIN PGP "; ++ size_t marklen = strlen(pgpmark); ++ int keyno = 1; ++ char *start = NULL; + + /* ignore symlinks and directories */ + if (!g_file_test(filename, G_FILE_TEST_IS_REGULAR)) +@@ -81,79 +84,99 @@ dnf_keyring_add_public_key(rpmKeyring keyring, + if (!ret) + goto out; + +- /* rip off the ASCII armor and parse it */ +- armor = pgpParsePkts(data, &pkt, &len); +- if (armor < 0) { +- ret = FALSE; +- g_set_error(error, +- DNF_ERROR, +- DNF_ERROR_GPG_SIGNATURE_INVALID, +- "failed to parse PKI file %s", +- filename); +- goto out; +- } +- +- /* make sure it's something we can add to rpm */ +- if (armor != PGPARMOR_PUBKEY) { +- ret = FALSE; +- g_set_error(error, +- DNF_ERROR, +- DNF_ERROR_GPG_SIGNATURE_INVALID, +- "PKI file %s is not a public key", +- filename); +- goto out; +- } ++ start = strstr(data, pgpmark); + +- /* test each one */ +- pubkey = rpmPubkeyNew(pkt, len); +- if (pubkey == NULL) { +- ret = FALSE; +- g_set_error(error, +- DNF_ERROR, +- DNF_ERROR_GPG_SIGNATURE_INVALID, +- "failed to parse public key for %s", +- filename); +- goto out; +- } +- +- /* does the key exist in the keyring */ +- dig = rpmPubkeyDig(pubkey); +- rc = rpmKeyringLookup(keyring, dig); +- if (rc == RPMRC_OK) { +- ret = TRUE; +- g_debug("%s is already present", filename); +- goto out; +- } ++ do { ++ uint8_t *pkt = NULL; ++ uint8_t *pkti = NULL; ++ size_t pktlen = 0; ++ size_t certlen; ++ ++ /* Read pgp packet. */ ++ if (pgpParsePkts(start, &pkt, &pktlen) == PGPARMOR_PUBKEY) { ++ pkti = pkt; ++ ++ /* Iterate over certificates in pkt */ ++ while (pktlen > 0) { ++ if (pgpPubKeyCertLen(pkti, pktlen, &certlen)) { ++ g_debug("%s: key %d import failed.\n", filename, keyno); ++ break; ++ } ++ ++ /* test each one */ ++ pubkey = rpmPubkeyNew(pkti, certlen); ++ if (pubkey == NULL) { ++ ret = FALSE; ++ g_set_error(error, ++ DNF_ERROR, ++ DNF_ERROR_GPG_SIGNATURE_INVALID, ++ "failed to parse public key for %s", ++ filename); ++ goto out; ++ } ++ ++ /* add to in-memory keyring */ ++ rc = rpmKeyringAddKey(keyring, pubkey); ++ if (rc == 1) { ++ ret = TRUE; ++ g_debug("%s is already added", filename); ++ goto out; ++ } else if (rc < 0) { ++ ret = FALSE; ++ g_set_error(error, ++ DNF_ERROR, ++ DNF_ERROR_GPG_SIGNATURE_INVALID, ++ "failed to add public key %s to rpmdb", ++ filename); ++ goto out; ++ } ++ ++ subkeys = rpmGetSubkeys(pubkey, &nsubkeys); ++ for (int i = 0; i < nsubkeys; i++) { ++ rpmPubkey subkey = subkeys[i]; ++ if (rpmKeyringAddKey(keyring, subkey) < 0) { ++ ret = FALSE; ++ g_set_error(error, ++ DNF_ERROR, ++ DNF_ERROR_GPG_SIGNATURE_INVALID, ++ "failed to add subkeys for %s to rpmdb", ++ filename); ++ goto out; ++ } ++ } ++ ++ pkti += certlen; ++ pktlen -= certlen; ++ } ++ } else { ++ g_debug("%s: key %d not an armored public key.\n", filename, keyno); ++ } + +- /* add to rpmdb automatically, without a prompt */ +- rc = rpmKeyringAddKey(keyring, pubkey); +- if (rc == 1) { +- ret = TRUE; +- g_debug("%s is already added", filename); +- goto out; +- } else if (rc < 0) { +- ret = FALSE; +- g_set_error(error, +- DNF_ERROR, +- DNF_ERROR_GPG_SIGNATURE_INVALID, +- "failed to add public key %s to rpmdb", +- filename); +- goto out; +- } ++ /* See if there are more keys in the buffer */ ++ if (start && start + marklen < data + len) { ++ start = strstr(start + marklen, pgpmark); ++ } else { ++ start = NULL; ++ } + +- subkeys = rpmGetSubkeys(pubkey, &nsubkeys); +- for (int i = 0; i < nsubkeys; i++) { +- rpmPubkey subkey = subkeys[i]; +- if (rpmKeyringAddKey(keyring, subkey) < 0) { +- ret = FALSE; +- g_set_error(error, +- DNF_ERROR, +- DNF_ERROR_GPG_SIGNATURE_INVALID, +- "failed to add subkeys for %s to rpmdb", +- filename); +- goto out; ++ keyno++; ++ if (pkt != NULL) ++ free(pkt); /* yes, free() */ ++ pkt = NULL; ++ if (pubkey != NULL) ++ rpmPubkeyFree(pubkey); ++ pubkey = NULL; ++ if (subkeys != NULL) { ++ for (int i = 0; i < nsubkeys; i++) { ++ if (subkeys[i] != NULL) { ++ rpmPubkeyFree (subkeys[i]); ++ subkeys[i] = NULL; ++ } ++ } ++ free (subkeys); ++ subkeys = NULL; + } +- } ++ } while (start != NULL); + + /* success */ + g_debug("added missing public key %s to rpmdb", filename); +@@ -165,7 +188,9 @@ out: + rpmPubkeyFree(pubkey); + if (subkeys != NULL) { + for (int i = 0; i < nsubkeys; i++) { +- rpmPubkeyFree(subkeys[i]); ++ if (subkeys[i] != NULL) { ++ rpmPubkeyFree (subkeys[i]); ++ } + } + free(subkeys); + } +-- +2.34.1 + diff --git a/SPECS/libdnf.spec b/SPECS/libdnf.spec index 3966743..68c12c8 100644 --- a/SPECS/libdnf.spec +++ b/SPECS/libdnf.spec @@ -58,7 +58,7 @@ Name: libdnf Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version} -Release: 19%{?dist}.alma +Release: 19%{?dist}.alma.2 Summary: Library providing simplified C and Python API to libsolv License: LGPLv2+ URL: https://github.com/rpm-software-management/libdnf @@ -115,7 +115,7 @@ Patch49: 0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch # Almalinux patches Patch10001: almalinux_bugtracker.patch - +Patch10002: dnf-keyring-support-multiple-keys.patch BuildRequires: cmake BuildRequires: gcc @@ -365,6 +365,9 @@ popd %endif %changelog +* Wed Mar 27 2024 Eduard Abdullin - 0.63.0-19.alma.2 +- Add patch to fix issue with multiple keys in dnf-keyring + * Wed Mar 27 2024 Eduard Abdullin - 0.63.0-19.alma - AlmaLinux changes