Disable signature checking in librpm

resolves: rhbz#2065172
2022-03-17 13:46:13 +00:00 · 2022-03-17 13:46:13 +00:00 · ff591404d4
commit ff591404d4
parent dd23a60a71
2 changed files with 53 additions and 1 deletions
--- a/0004-daemon-rpm-c.c-Disable-signature-checking-in-librpm.patch
+++ b/0004-daemon-rpm-c.c-Disable-signature-checking-in-librpm.patch
@ -0,0 +1,47 @@
+From 19f6758a9264318dcaf5c6658cbdab443fbb9ef7 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Tue, 15 Mar 2022 10:22:49 +0000
+Subject: [PATCH] daemon/rpm-c.c: Disable signature checking in librpm
+
+Older distros (eg CentOS 6) used SHA-1 RPM package signatures which
+some newer distros (eg RHEL 9.0) prevent us from verifying.
+
+This resulted in packages with SHA-1 signatures being skipped by
+librpm (there is a warning in debug output, but if you're not looking
+at that then the package is silently ignored).  In some cases
+essential packages like the kernel were skipped, which would be
+visible as a failure of virt-v2v.  In other cases (eg virt-inspector)
+you'd just see fewer installed packages in the <applications> list.
+
+Since verifying package signatures is not essential for inspection,
+disable this feature in librpm.
+
+Reported-by: Xiaodai Wang
+Thanks: Panu Matilainen
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2064182
+Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
+(cherry picked from commit aa6f8038f826bfb37ddbbb575e6962e1e181c5e8)
+---
+ daemon/rpm-c.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/daemon/rpm-c.c b/daemon/rpm-c.c
+index be0e81e22..020fc588e 100644
+--- a/daemon/rpm-c.c
+++ b/daemon/rpm-c.c
+@@ -90,7 +90,12 @@ value
+ guestfs_int_daemon_rpm_start_iterator (value unitv)
+ {
+   CAMLparam1 (unitv);
+
+   ts = rpmtsCreate ();
+
+  /* Disable signature checking (RHBZ#2064182). */
+  rpmtsSetVSFlags (ts, rpmtsVSFlags (ts) | RPMVSF_MASK_NOSIGNATURES);
+
+   iter = rpmtsInitIterator (ts, RPMDBI_PACKAGES, NULL, 0);
+   CAMLreturn (Val_unit);
+ }
+-- 
+2.31.1
+
--- a/libguestfs.spec
+++ b/libguestfs.spec
@ -48,7 +48,7 @@ Summary:       Access and modify virtual machine disk images
 Name:          libguestfs
 Epoch:         1
 Version:       1.48.0
-Release:       1%{?dist}
+Release:       2%{?dist}
 License:       LGPLv2+

 # Build only for architectures that have a kernel
@ -89,6 +89,7 @@ Source8:       copy-patches.sh
 Patch0001:     0001-RHEL-Disable-unsupported-remote-drive-protocols-RHBZ.patch
 Patch0002:     0002-RHEL-Reject-use-of-libguestfs-winsupport-features-ex.patch
 Patch0003:     0003-RHEL-Create-etc-crypto-policies-back-ends-opensslcnf.patch
+Patch0004:     0004-daemon-rpm-c.c-Disable-signature-checking-in-librpm.patch

 %if 0%{patches_touch_autotools}
 BuildRequires: autoconf, automake, libtool, gettext-devel
@ -1131,6 +1132,10 @@ rm ocaml/html/.gitignore


 %changelog
+* Thu Mar 17 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.48.0-2
+- Disable signature checking in librpm
+  resolves: rhbz#2065172
+
 * Mon Mar 14 2022 Richard W.M. Jones <rjones@redhat.com> - 1:1.48.0-1
 - Rebase to new stable branch version 1.48.0
  resolves: rhbz#2059285