SOURCES/0050-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch

@@ -1,93 +0,0 @@
-From 8eac75556d0f53f3ba6cd12d2545bc8dbebb11f4 Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Tue, 4 Jun 2024 06:57:19 -0400
-Subject: [PATCH] repo: Don't try to perform labeling if SELinux is disabled
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The default for container execution is that `/sys/fs/selinux`
-is not mounted, and the libselinux library function `is_selinux_enabled`
-should be used to dynamically check if the system should attempt to perform SELinux labeling.
-
-This is how it's done by rpm, ostree, and systemd for example.
-
-But this code unconditionally tries to label if it finds a policy,
-which breaks in an obscure corner case
-when executed inside a container that includes policy files (e.g.
-fedora/rhel-bootc) but when we're not using overlayfs for the backend
-(with BUILDAH_BACKEND=vfs).
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- libdnf/repo/Repo.cpp | 50 +++++++++++++++++++++++---------------------
- 1 file changed, 26 insertions(+), 24 deletions(-)
-
-diff --git a/libdnf/repo/Repo.cpp b/libdnf/repo/Repo.cpp
-index 68b82ccc..4f646f8c 100644
---- a/libdnf/repo/Repo.cpp
-+++ b/libdnf/repo/Repo.cpp
-@@ -676,34 +676,36 @@ static int create_temporary_directory(char *name_template) {
-     int old_default_context_was_retrieved= 0;
-     struct selabel_handle *labeling_handle = NULL;
- 
--    /* A purpose of this piece of code is to deal with applications whose
--     * security policy overrides a file context for temporary files but don't
--     * know that libdnf executes GnuPG which expects a default file context. */
--    if (0 == getfscreatecon(&old_default_context)) {
--        old_default_context_was_retrieved = 1;
--    } else {
--        logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
--    }
-+    if (is_selinux_enabled()) {
-+        /* A purpose of this piece of code is to deal with applications whose
-+         * security policy overrides a file context for temporary files but don't
-+         * know that libdnf executes GnuPG which expects a default file context. */
-+        if (0 == getfscreatecon(&old_default_context)) {
-+            old_default_context_was_retrieved = 1;
-+        } else {
-+            logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
-+        }
- 
--    labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
--    if (NULL == labeling_handle) {
--        logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
--                    strerror(errno)));
--    } else {
--        if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
--            /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
--             * that value should be really defined in default file context
--             * SELinux policy. Only log that the policy is incpomplete. */
--            logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
--                        name_template));
-+        labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-+        if (NULL == labeling_handle) {
-+            logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
-+                        strerror(errno)));
-         } else {
--            if (setfscreatecon(new_default_context)) {
--                logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
--                            new_default_context));
-+            if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
-+                /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
-+                 * that value should be really defined in default file context
-+                 * SELinux policy. Only log that the policy is incpomplete. */
-+                logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
-+                            name_template));
-+            } else {
-+                if (setfscreatecon(new_default_context)) {
-+                    logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
-+                                new_default_context));
-+                }
-+                freecon(new_default_context);
-             }
--            freecon(new_default_context);
-+            selabel_close(labeling_handle);
-         }
--        selabel_close(labeling_handle);
-     }
- #endif
- 
--- 
-2.45.2
-

SOURCES/almalinux_bugtracker.patch

@@ -0,0 +1,23 @@
+diff -aruN libdnf-0.63.0/docs/hawkey/conf.py libdnf-0.63.0_alma/docs/hawkey/conf.py
+--- libdnf-0.63.0/docs/hawkey/conf.py	2021-05-18 17:07:23.000000000 +0300
++++ libdnf-0.63.0_alma/docs/hawkey/conf.py	2021-12-30 11:03:39.179244600 +0300
+@@ -260,6 +260,6 @@
+ rst_prolog = """
+ .. default-domain:: py
+ .. _libsolv: https://github.com/openSUSE/libsolv
+-.. _bugzilla: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=hawkey
++.. _bugzilla: https://bugs.almalinux.org/
+ 
+ """
+diff -aruN libdnf-0.63.0/libdnf/conf/Const.hpp libdnf-0.63.0_alma/libdnf/conf/Const.hpp
+--- libdnf-0.63.0/libdnf/conf/Const.hpp	2021-05-18 17:07:23.000000000 +0300
++++ libdnf-0.63.0_alma/libdnf/conf/Const.hpp	2021-12-30 11:03:47.004789800 +0300
+@@ -41,7 +41,7 @@
+                  "installonlypkg(vm)",
+                  "multiversion(kernel)"};
+ 
+-constexpr const char * BUGTRACKER="https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnf";
++constexpr const char * BUGTRACKER="https://bugs.almalinux.org/";
+ 
+ }
+ 

SOURCES/dnf-keyring-support-multiple-keys.patch

@@ -0,0 +1,228 @@
+From 5b87a29c78fe7b3fce8ac167a1a650449d25f54c Mon Sep 17 00:00:00 2001
+From: Dmitriy Popov <dpopov@cloudlinux.com>
+Date: Wed, 1 May 2024 23:16:47 +0300
+Subject: [PATCH] dnf-keyring-support-multiple-keys
+
+Since it is known from the bug (and practically proven) that "rpm --import"
+is capable of supporting multiple containers in one file, unlike the internal
+implementation, due to the need to globally rewrite the structure of parameters.
+
+https://github.com/rpm-software-management/rpm/pull/2242
+"This does not affect rpmkeys --import because it explicitly checks
+for multiple PGPTAG_PUBLIC_KEY packets and imports them separately"
+
+The patch implies the logic of the cli rpmcliImportPubkeys
+in dnf_keyring_add_public_key, except that instead of direct import,
+it continues to expand the keyring as before, and then imports it,
+making this change atomic.
+
+Signed-off-by: Dmitriy Popov <dpopov@cloudlinux.com>
+---
+ libdnf/dnf-keyring.cpp | 167 +++++++++++++++++++++++------------------
+ 1 file changed, 96 insertions(+), 71 deletions(-)
+
+diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
+index 62a6248..f4afd35 100644
+--- a/libdnf/dnf-keyring.cpp
++++ b/libdnf/dnf-keyring.cpp
+@@ -62,13 +62,16 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
+     gboolean ret = TRUE;
+     int rc;
+     gsize len;
+-    pgpArmor armor;
+     pgpDig dig = NULL;
+     rpmPubkey pubkey = NULL;
+     rpmPubkey *subkeys = NULL;
+     int nsubkeys = 0;
+     uint8_t *pkt = NULL;
+     g_autofree gchar *data = NULL;
++    char const * const pgpmark = "-----BEGIN PGP ";
++    size_t marklen = strlen(pgpmark);
++    int keyno = 1;
++    char *start = NULL;
+ 
+     /* ignore symlinks and directories */
+     if (!g_file_test(filename, G_FILE_TEST_IS_REGULAR))
+@@ -81,79 +84,99 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
+     if (!ret)
+         goto out;
+ 
+-    /* rip off the ASCII armor and parse it */
+-    armor = pgpParsePkts(data, &pkt, &len);
+-    if (armor < 0) {
+-        ret = FALSE;
+-        g_set_error(error,
+-                    DNF_ERROR,
+-                    DNF_ERROR_GPG_SIGNATURE_INVALID,
+-                    "failed to parse PKI file %s",
+-                    filename);
+-        goto out;
+-    }
+-
+-    /* make sure it's something we can add to rpm */
+-    if (armor != PGPARMOR_PUBKEY) {
+-        ret = FALSE;
+-        g_set_error(error,
+-                    DNF_ERROR,
+-                    DNF_ERROR_GPG_SIGNATURE_INVALID,
+-                    "PKI file %s is not a public key",
+-                    filename);
+-        goto out;
+-    }
++    start = strstr(data, pgpmark);
+ 
+-    /* test each one */
+-    pubkey = rpmPubkeyNew(pkt, len);
+-    if (pubkey == NULL) {
+-        ret = FALSE;
+-        g_set_error(error,
+-                    DNF_ERROR,
+-                    DNF_ERROR_GPG_SIGNATURE_INVALID,
+-                    "failed to parse public key for %s",
+-                    filename);
+-        goto out;
+-    }
+-
+-    /* does the key exist in the keyring */
+-    dig = rpmPubkeyDig(pubkey);
+-    rc = rpmKeyringLookup(keyring, dig);
+-    if (rc == RPMRC_OK) {
+-        ret = TRUE;
+-        g_debug("%s is already present", filename);
+-        goto out;
+-    }
++    do {
++        uint8_t *pkt = NULL;
++        uint8_t *pkti = NULL;
++        size_t pktlen = 0;
++        size_t certlen;
++
++        /* Read pgp packet. */
++        if (pgpParsePkts(start, &pkt, &pktlen) == PGPARMOR_PUBKEY) {
++            pkti = pkt;
++
++            /* Iterate over certificates in pkt */
++            while (pktlen > 0) {
++                if (pgpPubKeyCertLen(pkti, pktlen, &certlen)) {
++                    g_debug("%s: key %d import failed.\n", filename, keyno);
++                    break;
++                }
++
++                /* test each one */
++                pubkey = rpmPubkeyNew(pkti, certlen);
++                if (pubkey == NULL) {
++                    ret = FALSE;
++                    g_set_error(error,
++                                 DNF_ERROR,
++                                 DNF_ERROR_GPG_SIGNATURE_INVALID,
++                                 "failed to parse public key for %s",
++                                 filename);
++                    goto out;
++                }
++
++                /* add to in-memory keyring */
++                rc = rpmKeyringAddKey(keyring, pubkey);
++                if (rc == 1) {
++                    ret = TRUE;
++                    g_debug("%s is already added", filename);
++                    goto out;
++                } else if (rc < 0) {
++                    ret = FALSE;
++                    g_set_error(error,
++                                 DNF_ERROR,
++                                 DNF_ERROR_GPG_SIGNATURE_INVALID,
++                                 "failed to add public key %s to rpmdb",
++                                 filename);
++                    goto out;
++                }
++
++                subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
++                for (int i = 0; i < nsubkeys; i++) {
++                    rpmPubkey subkey = subkeys[i];
++                    if (rpmKeyringAddKey(keyring, subkey) < 0) {
++                        ret = FALSE;
++                        g_set_error(error,
++                                     DNF_ERROR,
++                                     DNF_ERROR_GPG_SIGNATURE_INVALID,
++                                     "failed to add subkeys for %s to rpmdb",
++                                     filename);
++                        goto out;
++                    }
++                }
++
++                pkti += certlen;
++                pktlen -= certlen;
++            }
++        } else {
++            g_debug("%s: key %d not an armored public key.\n", filename, keyno);
++        }
+ 
+-    /* add to rpmdb automatically, without a prompt */
+-    rc = rpmKeyringAddKey(keyring, pubkey);
+-    if (rc == 1) {
+-        ret = TRUE;
+-        g_debug("%s is already added", filename);
+-        goto out;
+-    } else if (rc < 0) {
+-        ret = FALSE;
+-        g_set_error(error,
+-                    DNF_ERROR,
+-                    DNF_ERROR_GPG_SIGNATURE_INVALID,
+-                    "failed to add public key %s to rpmdb",
+-                    filename);
+-        goto out;
+-    }
++        /* See if there are more keys in the buffer */
++        if (start && start + marklen < data + len) {
++            start = strstr(start + marklen, pgpmark);
++        } else {
++            start = NULL;
++        }
+ 
+-    subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
+-    for (int i = 0; i < nsubkeys; i++) {
+-        rpmPubkey subkey = subkeys[i];
+-        if (rpmKeyringAddKey(keyring, subkey) < 0) {
+-            ret = FALSE;
+-            g_set_error(error,
+-                        DNF_ERROR,
+-                        DNF_ERROR_GPG_SIGNATURE_INVALID,
+-                        "failed to add subkeys for %s to rpmdb",
+-                        filename);
+-            goto out;
++        keyno++;
++        if (pkt != NULL)
++            free(pkt); /* yes, free() */
++            pkt = NULL;
++        if (pubkey != NULL)
++            rpmPubkeyFree(pubkey);
++            pubkey = NULL;
++        if (subkeys != NULL) {
++            for (int i = 0; i < nsubkeys; i++) {
++                if (subkeys[i] != NULL) {
++                    rpmPubkeyFree (subkeys[i]);
++                    subkeys[i] = NULL;
++                }
++            }
++            free (subkeys);
++            subkeys = NULL;
+         }
+-    }
++    } while (start != NULL);
+ 
+     /* success */
+     g_debug("added missing public key %s to rpmdb", filename);
+@@ -165,7 +188,9 @@ out:
+         rpmPubkeyFree(pubkey);
+     if (subkeys != NULL) {
+         for (int i = 0; i < nsubkeys; i++) {
+-          rpmPubkeyFree(subkeys[i]);
++            if (subkeys[i] != NULL) {
++                rpmPubkeyFree (subkeys[i]);
++            }
+         }
+         free(subkeys);
+     }
+-- 
+2.34.1
+

SPECS/libdnf.spec

@@ -58,7 +58,7 @@
 
 Name:           libdnf
 Version:        %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
-Release:        20%{?dist}
+Release:        19%{?dist}.alma.2
 Summary:        Library providing simplified C and Python API to libsolv
 License:        LGPLv2+
 URL:            https://github.com/rpm-software-management/libdnf
@@ -112,8 +112,10 @@ Patch46:        0046-Update-translations-RHEL-8.9.patch
 Patch47:        0047-filterAdvisory-installed_solvables-sort-RhBug2212838.patch
 Patch48:        0048-Avoid-reinstal-installonly-packages-marked-for-ERASE.patch
 Patch49:        0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
-Patch50:        0050-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch
 
+# Almalinux patches
+Patch10001:     almalinux_bugtracker.patch
+Patch10002:     dnf-keyring-support-multiple-keys.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc
@@ -363,20 +365,20 @@ popd
 %endif
 
 %changelog
-* Mon Jun 24 2024 Petr Pisar <ppisar@redhat.com> - 0.63.0-20
+* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma.2
-- Do not set a default SELinux creation context if SELinux appears to be
+- Add patch to fix issue with multiple keys in dnf-keyring
-  disabled (RHEL-43231)
+
+* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma
+- AlmaLinux changes
 
 * Wed Oct 18 2023 Petr Pisar <ppisar@redhat.com> - 0.63.0-19
 - Set default SELinux labels on GnuPG directories (RHEL-6421)
-
 * Fri Oct 13 2023 Jaroslav Rohel <jrohel@redhat.com> - 0.63.0-18
 - filterAdvisory: match installed_solvables sort with lower_bound (RhBug:2212838, RHEL-1244)
 - Avoid reinstalling installonly packages marked for ERASE (RhBug:2163474, RHEL-1253)
 
 * Fri Sep 08 2023 Marek Blaha <mblaha@redhat.com> - 0.63.0-17
 - Update translations
-
 * Wed May 31 2023 Nicola Sella <nsella@redhat.com> - 0.63-0-16
 - Support "proxy=_none_" in main config (RhBug:2155713)
 
@@ -388,7 +390,6 @@ popd
 
 * Wed Oct 26 2022 Nicola Sella <nsella@redhat.com> - 0.63.0-13
 - Allow change of arch during security updates with noarch (RhBug:2124483)
-
 * Tue Sep 13 2022 Lukas Hrazky <lhrazky@redhat.com> - 0.63.0-12
 - Fix listing a repository without cpeid (RhBug:2066334)