- Add patch to fix issue with multiple keys in dnf-keyring

This commit is contained in:
eabdullin 2024-05-02 13:51:56 +03:00
parent 651720f744
commit 6a6547208e
2 changed files with 233 additions and 2 deletions

View File

@ -0,0 +1,228 @@
From 5b87a29c78fe7b3fce8ac167a1a650449d25f54c Mon Sep 17 00:00:00 2001
From: Dmitriy Popov <dpopov@cloudlinux.com>
Date: Wed, 1 May 2024 23:16:47 +0300
Subject: [PATCH] dnf-keyring-support-multiple-keys
Since it is known from the bug (and practically proven) that "rpm --import"
is capable of supporting multiple containers in one file, unlike the internal
implementation, due to the need to globally rewrite the structure of parameters.
https://github.com/rpm-software-management/rpm/pull/2242
"This does not affect rpmkeys --import because it explicitly checks
for multiple PGPTAG_PUBLIC_KEY packets and imports them separately"
The patch implies the logic of the cli rpmcliImportPubkeys
in dnf_keyring_add_public_key, except that instead of direct import,
it continues to expand the keyring as before, and then imports it,
making this change atomic.
Signed-off-by: Dmitriy Popov <dpopov@cloudlinux.com>
---
libdnf/dnf-keyring.cpp | 167 +++++++++++++++++++++++------------------
1 file changed, 96 insertions(+), 71 deletions(-)
diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
index 62a6248..f4afd35 100644
--- a/libdnf/dnf-keyring.cpp
+++ b/libdnf/dnf-keyring.cpp
@@ -62,13 +62,16 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
gboolean ret = TRUE;
int rc;
gsize len;
- pgpArmor armor;
pgpDig dig = NULL;
rpmPubkey pubkey = NULL;
rpmPubkey *subkeys = NULL;
int nsubkeys = 0;
uint8_t *pkt = NULL;
g_autofree gchar *data = NULL;
+ char const * const pgpmark = "-----BEGIN PGP ";
+ size_t marklen = strlen(pgpmark);
+ int keyno = 1;
+ char *start = NULL;
/* ignore symlinks and directories */
if (!g_file_test(filename, G_FILE_TEST_IS_REGULAR))
@@ -81,79 +84,99 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
if (!ret)
goto out;
- /* rip off the ASCII armor and parse it */
- armor = pgpParsePkts(data, &pkt, &len);
- if (armor < 0) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to parse PKI file %s",
- filename);
- goto out;
- }
-
- /* make sure it's something we can add to rpm */
- if (armor != PGPARMOR_PUBKEY) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "PKI file %s is not a public key",
- filename);
- goto out;
- }
+ start = strstr(data, pgpmark);
- /* test each one */
- pubkey = rpmPubkeyNew(pkt, len);
- if (pubkey == NULL) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to parse public key for %s",
- filename);
- goto out;
- }
-
- /* does the key exist in the keyring */
- dig = rpmPubkeyDig(pubkey);
- rc = rpmKeyringLookup(keyring, dig);
- if (rc == RPMRC_OK) {
- ret = TRUE;
- g_debug("%s is already present", filename);
- goto out;
- }
+ do {
+ uint8_t *pkt = NULL;
+ uint8_t *pkti = NULL;
+ size_t pktlen = 0;
+ size_t certlen;
+
+ /* Read pgp packet. */
+ if (pgpParsePkts(start, &pkt, &pktlen) == PGPARMOR_PUBKEY) {
+ pkti = pkt;
+
+ /* Iterate over certificates in pkt */
+ while (pktlen > 0) {
+ if (pgpPubKeyCertLen(pkti, pktlen, &certlen)) {
+ g_debug("%s: key %d import failed.\n", filename, keyno);
+ break;
+ }
+
+ /* test each one */
+ pubkey = rpmPubkeyNew(pkti, certlen);
+ if (pubkey == NULL) {
+ ret = FALSE;
+ g_set_error(error,
+ DNF_ERROR,
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
+ "failed to parse public key for %s",
+ filename);
+ goto out;
+ }
+
+ /* add to in-memory keyring */
+ rc = rpmKeyringAddKey(keyring, pubkey);
+ if (rc == 1) {
+ ret = TRUE;
+ g_debug("%s is already added", filename);
+ goto out;
+ } else if (rc < 0) {
+ ret = FALSE;
+ g_set_error(error,
+ DNF_ERROR,
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
+ "failed to add public key %s to rpmdb",
+ filename);
+ goto out;
+ }
+
+ subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
+ for (int i = 0; i < nsubkeys; i++) {
+ rpmPubkey subkey = subkeys[i];
+ if (rpmKeyringAddKey(keyring, subkey) < 0) {
+ ret = FALSE;
+ g_set_error(error,
+ DNF_ERROR,
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
+ "failed to add subkeys for %s to rpmdb",
+ filename);
+ goto out;
+ }
+ }
+
+ pkti += certlen;
+ pktlen -= certlen;
+ }
+ } else {
+ g_debug("%s: key %d not an armored public key.\n", filename, keyno);
+ }
- /* add to rpmdb automatically, without a prompt */
- rc = rpmKeyringAddKey(keyring, pubkey);
- if (rc == 1) {
- ret = TRUE;
- g_debug("%s is already added", filename);
- goto out;
- } else if (rc < 0) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to add public key %s to rpmdb",
- filename);
- goto out;
- }
+ /* See if there are more keys in the buffer */
+ if (start && start + marklen < data + len) {
+ start = strstr(start + marklen, pgpmark);
+ } else {
+ start = NULL;
+ }
- subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
- for (int i = 0; i < nsubkeys; i++) {
- rpmPubkey subkey = subkeys[i];
- if (rpmKeyringAddKey(keyring, subkey) < 0) {
- ret = FALSE;
- g_set_error(error,
- DNF_ERROR,
- DNF_ERROR_GPG_SIGNATURE_INVALID,
- "failed to add subkeys for %s to rpmdb",
- filename);
- goto out;
+ keyno++;
+ if (pkt != NULL)
+ free(pkt); /* yes, free() */
+ pkt = NULL;
+ if (pubkey != NULL)
+ rpmPubkeyFree(pubkey);
+ pubkey = NULL;
+ if (subkeys != NULL) {
+ for (int i = 0; i < nsubkeys; i++) {
+ if (subkeys[i] != NULL) {
+ rpmPubkeyFree (subkeys[i]);
+ subkeys[i] = NULL;
+ }
+ }
+ free (subkeys);
+ subkeys = NULL;
}
- }
+ } while (start != NULL);
/* success */
g_debug("added missing public key %s to rpmdb", filename);
@@ -165,7 +188,9 @@ out:
rpmPubkeyFree(pubkey);
if (subkeys != NULL) {
for (int i = 0; i < nsubkeys; i++) {
- rpmPubkeyFree(subkeys[i]);
+ if (subkeys[i] != NULL) {
+ rpmPubkeyFree (subkeys[i]);
+ }
}
free(subkeys);
}
--
2.34.1

View File

@ -58,7 +58,7 @@
Name: libdnf Name: libdnf
Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version} Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
Release: 19%{?dist}.alma Release: 19%{?dist}.alma.2
Summary: Library providing simplified C and Python API to libsolv Summary: Library providing simplified C and Python API to libsolv
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/rpm-software-management/libdnf URL: https://github.com/rpm-software-management/libdnf
@ -115,7 +115,7 @@ Patch49: 0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
# Almalinux patches # Almalinux patches
Patch10001: almalinux_bugtracker.patch Patch10001: almalinux_bugtracker.patch
Patch10002: dnf-keyring-support-multiple-keys.patch
BuildRequires: cmake BuildRequires: cmake
BuildRequires: gcc BuildRequires: gcc
@ -365,6 +365,9 @@ popd
%endif %endif
%changelog %changelog
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma.2
- Add patch to fix issue with multiple keys in dnf-keyring
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma * Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma
- AlmaLinux changes - AlmaLinux changes