libguestfs/SOURCES/0013-daemon-rpm-c.c-Disable-signature-checking-in-librpm.patch

From 46c0694ce0b9a2fe357403c998d30ec807e07015 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 15 Mar 2022 10:22:49 +0000
Subject: [PATCH] daemon/rpm-c.c: Disable signature checking in librpm

Older distros (eg CentOS 6) used SHA-1 RPM package signatures which
some newer distros (eg RHEL 9.0) prevent us from verifying.

This resulted in packages with SHA-1 signatures being skipped by
librpm (there is a warning in debug output, but if you're not looking
at that then the package is silently ignored).  In some cases
essential packages like the kernel were skipped, which would be
visible as a failure of virt-v2v.  In other cases (eg virt-inspector)
you'd just see fewer installed packages in the <applications> list.

Since verifying package signatures is not essential for inspection,
disable this feature in librpm.

Reported-by: Xiaodai Wang
Thanks: Panu Matilainen
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2064182
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
(cherry picked from commit aa6f8038f826bfb37ddbbb575e6962e1e181c5e8)
---
 daemon/rpm-c.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/daemon/rpm-c.c b/daemon/rpm-c.c
index be0e81e22..020fc588e 100644
--- a/daemon/rpm-c.c
+++ b/daemon/rpm-c.c
@@ -90,7 +90,12 @@ value
 guestfs_int_daemon_rpm_start_iterator (value unitv)
 {
   CAMLparam1 (unitv);
+
   ts = rpmtsCreate ();
+
+  /* Disable signature checking (RHBZ#2064182). */
+  rpmtsSetVSFlags (ts, rpmtsVSFlags (ts) | RPMVSF_MASK_NOSIGNATURES);
+
   iter = rpmtsInitIterator (ts, RPMDBI_PACKAGES, NULL, 0);
   CAMLreturn (Val_unit);
 }
-- 
2.31.1
import libguestfs-1.46.1-3.el9_0 2022-05-17 08:38:25 +00:00			`From 46c0694ce0b9a2fe357403c998d30ec807e07015 Mon Sep 17 00:00:00 2001`
			`From: "Richard W.M. Jones" <rjones@redhat.com>`
			`Date: Tue, 15 Mar 2022 10:22:49 +0000`
			`Subject: [PATCH] daemon/rpm-c.c: Disable signature checking in librpm`

			`Older distros (eg CentOS 6) used SHA-1 RPM package signatures which`
			`some newer distros (eg RHEL 9.0) prevent us from verifying.`

			`This resulted in packages with SHA-1 signatures being skipped by`
			`librpm (there is a warning in debug output, but if you're not looking`
			`at that then the package is silently ignored). In some cases`
			`essential packages like the kernel were skipped, which would be`
			`visible as a failure of virt-v2v. In other cases (eg virt-inspector)`
			`you'd just see fewer installed packages in the <applications> list.`

			`Since verifying package signatures is not essential for inspection,`
			`disable this feature in librpm.`

			`Reported-by: Xiaodai Wang`
			`Thanks: Panu Matilainen`
			`Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2064182`
			`Signed-off-by: Richard W.M. Jones <rjones@redhat.com>`
			`(cherry picked from commit aa6f8038f826bfb37ddbbb575e6962e1e181c5e8)`
			`---`
			`daemon/rpm-c.c \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/daemon/rpm-c.c b/daemon/rpm-c.c`
			`index be0e81e22..020fc588e 100644`
			`--- a/daemon/rpm-c.c`
			`+++ b/daemon/rpm-c.c`
			`@@ -90,7 +90,12 @@ value`
			`guestfs_int_daemon_rpm_start_iterator (value unitv)`
			`{`
			`CAMLparam1 (unitv);`
			`+`
			`ts = rpmtsCreate ();`
			`+`
			`+ /* Disable signature checking (RHBZ#2064182). */`
			`+ rpmtsSetVSFlags (ts, rpmtsVSFlags (ts) \| RPMVSF_MASK_NOSIGNATURES);`
			`+`
			`iter = rpmtsInitIterator (ts, RPMDBI_PACKAGES, NULL, 0);`
			`CAMLreturn (Val_unit);`
			`}`
			`--`
			`2.31.1`