- Add patch to fix issue with multiple keys in dnf-keyring
This commit is contained in:
parent
651720f744
commit
6a6547208e
228
SOURCES/dnf-keyring-support-multiple-keys.patch
Normal file
228
SOURCES/dnf-keyring-support-multiple-keys.patch
Normal file
@ -0,0 +1,228 @@
|
|||||||
|
From 5b87a29c78fe7b3fce8ac167a1a650449d25f54c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitriy Popov <dpopov@cloudlinux.com>
|
||||||
|
Date: Wed, 1 May 2024 23:16:47 +0300
|
||||||
|
Subject: [PATCH] dnf-keyring-support-multiple-keys
|
||||||
|
|
||||||
|
Since it is known from the bug (and practically proven) that "rpm --import"
|
||||||
|
is capable of supporting multiple containers in one file, unlike the internal
|
||||||
|
implementation, due to the need to globally rewrite the structure of parameters.
|
||||||
|
|
||||||
|
https://github.com/rpm-software-management/rpm/pull/2242
|
||||||
|
"This does not affect rpmkeys --import because it explicitly checks
|
||||||
|
for multiple PGPTAG_PUBLIC_KEY packets and imports them separately"
|
||||||
|
|
||||||
|
The patch implies the logic of the cli rpmcliImportPubkeys
|
||||||
|
in dnf_keyring_add_public_key, except that instead of direct import,
|
||||||
|
it continues to expand the keyring as before, and then imports it,
|
||||||
|
making this change atomic.
|
||||||
|
|
||||||
|
Signed-off-by: Dmitriy Popov <dpopov@cloudlinux.com>
|
||||||
|
---
|
||||||
|
libdnf/dnf-keyring.cpp | 167 +++++++++++++++++++++++------------------
|
||||||
|
1 file changed, 96 insertions(+), 71 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
|
||||||
|
index 62a6248..f4afd35 100644
|
||||||
|
--- a/libdnf/dnf-keyring.cpp
|
||||||
|
+++ b/libdnf/dnf-keyring.cpp
|
||||||
|
@@ -62,13 +62,16 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
|
||||||
|
gboolean ret = TRUE;
|
||||||
|
int rc;
|
||||||
|
gsize len;
|
||||||
|
- pgpArmor armor;
|
||||||
|
pgpDig dig = NULL;
|
||||||
|
rpmPubkey pubkey = NULL;
|
||||||
|
rpmPubkey *subkeys = NULL;
|
||||||
|
int nsubkeys = 0;
|
||||||
|
uint8_t *pkt = NULL;
|
||||||
|
g_autofree gchar *data = NULL;
|
||||||
|
+ char const * const pgpmark = "-----BEGIN PGP ";
|
||||||
|
+ size_t marklen = strlen(pgpmark);
|
||||||
|
+ int keyno = 1;
|
||||||
|
+ char *start = NULL;
|
||||||
|
|
||||||
|
/* ignore symlinks and directories */
|
||||||
|
if (!g_file_test(filename, G_FILE_TEST_IS_REGULAR))
|
||||||
|
@@ -81,79 +84,99 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
|
||||||
|
if (!ret)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- /* rip off the ASCII armor and parse it */
|
||||||
|
- armor = pgpParsePkts(data, &pkt, &len);
|
||||||
|
- if (armor < 0) {
|
||||||
|
- ret = FALSE;
|
||||||
|
- g_set_error(error,
|
||||||
|
- DNF_ERROR,
|
||||||
|
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
- "failed to parse PKI file %s",
|
||||||
|
- filename);
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* make sure it's something we can add to rpm */
|
||||||
|
- if (armor != PGPARMOR_PUBKEY) {
|
||||||
|
- ret = FALSE;
|
||||||
|
- g_set_error(error,
|
||||||
|
- DNF_ERROR,
|
||||||
|
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
- "PKI file %s is not a public key",
|
||||||
|
- filename);
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
+ start = strstr(data, pgpmark);
|
||||||
|
|
||||||
|
- /* test each one */
|
||||||
|
- pubkey = rpmPubkeyNew(pkt, len);
|
||||||
|
- if (pubkey == NULL) {
|
||||||
|
- ret = FALSE;
|
||||||
|
- g_set_error(error,
|
||||||
|
- DNF_ERROR,
|
||||||
|
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
- "failed to parse public key for %s",
|
||||||
|
- filename);
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* does the key exist in the keyring */
|
||||||
|
- dig = rpmPubkeyDig(pubkey);
|
||||||
|
- rc = rpmKeyringLookup(keyring, dig);
|
||||||
|
- if (rc == RPMRC_OK) {
|
||||||
|
- ret = TRUE;
|
||||||
|
- g_debug("%s is already present", filename);
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
+ do {
|
||||||
|
+ uint8_t *pkt = NULL;
|
||||||
|
+ uint8_t *pkti = NULL;
|
||||||
|
+ size_t pktlen = 0;
|
||||||
|
+ size_t certlen;
|
||||||
|
+
|
||||||
|
+ /* Read pgp packet. */
|
||||||
|
+ if (pgpParsePkts(start, &pkt, &pktlen) == PGPARMOR_PUBKEY) {
|
||||||
|
+ pkti = pkt;
|
||||||
|
+
|
||||||
|
+ /* Iterate over certificates in pkt */
|
||||||
|
+ while (pktlen > 0) {
|
||||||
|
+ if (pgpPubKeyCertLen(pkti, pktlen, &certlen)) {
|
||||||
|
+ g_debug("%s: key %d import failed.\n", filename, keyno);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* test each one */
|
||||||
|
+ pubkey = rpmPubkeyNew(pkti, certlen);
|
||||||
|
+ if (pubkey == NULL) {
|
||||||
|
+ ret = FALSE;
|
||||||
|
+ g_set_error(error,
|
||||||
|
+ DNF_ERROR,
|
||||||
|
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
+ "failed to parse public key for %s",
|
||||||
|
+ filename);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* add to in-memory keyring */
|
||||||
|
+ rc = rpmKeyringAddKey(keyring, pubkey);
|
||||||
|
+ if (rc == 1) {
|
||||||
|
+ ret = TRUE;
|
||||||
|
+ g_debug("%s is already added", filename);
|
||||||
|
+ goto out;
|
||||||
|
+ } else if (rc < 0) {
|
||||||
|
+ ret = FALSE;
|
||||||
|
+ g_set_error(error,
|
||||||
|
+ DNF_ERROR,
|
||||||
|
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
+ "failed to add public key %s to rpmdb",
|
||||||
|
+ filename);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
|
||||||
|
+ for (int i = 0; i < nsubkeys; i++) {
|
||||||
|
+ rpmPubkey subkey = subkeys[i];
|
||||||
|
+ if (rpmKeyringAddKey(keyring, subkey) < 0) {
|
||||||
|
+ ret = FALSE;
|
||||||
|
+ g_set_error(error,
|
||||||
|
+ DNF_ERROR,
|
||||||
|
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
+ "failed to add subkeys for %s to rpmdb",
|
||||||
|
+ filename);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ pkti += certlen;
|
||||||
|
+ pktlen -= certlen;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ g_debug("%s: key %d not an armored public key.\n", filename, keyno);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- /* add to rpmdb automatically, without a prompt */
|
||||||
|
- rc = rpmKeyringAddKey(keyring, pubkey);
|
||||||
|
- if (rc == 1) {
|
||||||
|
- ret = TRUE;
|
||||||
|
- g_debug("%s is already added", filename);
|
||||||
|
- goto out;
|
||||||
|
- } else if (rc < 0) {
|
||||||
|
- ret = FALSE;
|
||||||
|
- g_set_error(error,
|
||||||
|
- DNF_ERROR,
|
||||||
|
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
- "failed to add public key %s to rpmdb",
|
||||||
|
- filename);
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
+ /* See if there are more keys in the buffer */
|
||||||
|
+ if (start && start + marklen < data + len) {
|
||||||
|
+ start = strstr(start + marklen, pgpmark);
|
||||||
|
+ } else {
|
||||||
|
+ start = NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
|
||||||
|
- for (int i = 0; i < nsubkeys; i++) {
|
||||||
|
- rpmPubkey subkey = subkeys[i];
|
||||||
|
- if (rpmKeyringAddKey(keyring, subkey) < 0) {
|
||||||
|
- ret = FALSE;
|
||||||
|
- g_set_error(error,
|
||||||
|
- DNF_ERROR,
|
||||||
|
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||||
|
- "failed to add subkeys for %s to rpmdb",
|
||||||
|
- filename);
|
||||||
|
- goto out;
|
||||||
|
+ keyno++;
|
||||||
|
+ if (pkt != NULL)
|
||||||
|
+ free(pkt); /* yes, free() */
|
||||||
|
+ pkt = NULL;
|
||||||
|
+ if (pubkey != NULL)
|
||||||
|
+ rpmPubkeyFree(pubkey);
|
||||||
|
+ pubkey = NULL;
|
||||||
|
+ if (subkeys != NULL) {
|
||||||
|
+ for (int i = 0; i < nsubkeys; i++) {
|
||||||
|
+ if (subkeys[i] != NULL) {
|
||||||
|
+ rpmPubkeyFree (subkeys[i]);
|
||||||
|
+ subkeys[i] = NULL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ free (subkeys);
|
||||||
|
+ subkeys = NULL;
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
+ } while (start != NULL);
|
||||||
|
|
||||||
|
/* success */
|
||||||
|
g_debug("added missing public key %s to rpmdb", filename);
|
||||||
|
@@ -165,7 +188,9 @@ out:
|
||||||
|
rpmPubkeyFree(pubkey);
|
||||||
|
if (subkeys != NULL) {
|
||||||
|
for (int i = 0; i < nsubkeys; i++) {
|
||||||
|
- rpmPubkeyFree(subkeys[i]);
|
||||||
|
+ if (subkeys[i] != NULL) {
|
||||||
|
+ rpmPubkeyFree (subkeys[i]);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
free(subkeys);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -58,7 +58,7 @@
|
|||||||
|
|
||||||
Name: libdnf
|
Name: libdnf
|
||||||
Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
|
Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
|
||||||
Release: 19%{?dist}.alma
|
Release: 19%{?dist}.alma.2
|
||||||
Summary: Library providing simplified C and Python API to libsolv
|
Summary: Library providing simplified C and Python API to libsolv
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
URL: https://github.com/rpm-software-management/libdnf
|
URL: https://github.com/rpm-software-management/libdnf
|
||||||
@ -115,7 +115,7 @@ Patch49: 0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
|
|||||||
|
|
||||||
# Almalinux patches
|
# Almalinux patches
|
||||||
Patch10001: almalinux_bugtracker.patch
|
Patch10001: almalinux_bugtracker.patch
|
||||||
|
Patch10002: dnf-keyring-support-multiple-keys.patch
|
||||||
|
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -365,6 +365,9 @@ popd
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma.2
|
||||||
|
- Add patch to fix issue with multiple keys in dnf-keyring
|
||||||
|
|
||||||
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma
|
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma
|
||||||
- AlmaLinux changes
|
- AlmaLinux changes
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user