Rebase to the 4.19 alpha release (4.18.90)

This uses the new cmake build scripts so several pieces of the package had to be adjusted.
2023-05-05 13:34:13 +02:00 · 2023-05-05 13:34:13 +02:00 · 3913b45078
commit 3913b45078
parent 7cdaeb70ca
10 changed files with 401 additions and 112 deletions
--- a/.gitignore
+++ b/.gitignore
@ -56,3 +56,4 @@
 /rpm-4.18.0-rc1.tar.bz2
 /rpm-4.18.0.tar.bz2
 /rpm-4.18.1.tar.bz2
 /rpm-4.18.90.tar.bz2
--- a/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch
+++ b/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch
@ -1,5 +1,4 @@
-From e75ae70ef1a152dac9a066506cafd2bbf7b2565e Mon Sep 17 00:00:00 2001
+From 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3 Mon Sep 17 00:00:00 2001
 Message-Id: <e75ae70ef1a152dac9a066506cafd2bbf7b2565e.1681989428.git.pmatilai@redhat.com>
 From: "Neal H. Walfield" <neal@pep.foundation>
 Date: Wed, 12 Apr 2023 17:56:19 +0200
 Subject: [PATCH] Add pgpVerifySignature2() and pgpPrtParams2()
@ -16,37 +15,36 @@ and
 https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1482646398
 Fixes #2483.
 This is a backport of commit 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3
 ---
- configure.ac            |  2 +-
+ ci/Dockerfile           |  2 ++
- include/rpm/rpmpgp.h    | 23 +++++++++++++++++++++++
+ include/rpm/rpmpgp.h    | 23 +++++++++++++++++++
- lib/rpmvs.c             | 19 ++++++++++++++++---
+ lib/rpmvs.c             | 19 +++++++++++++---
- rpmio/rpmkeyring.c      |  7 ++++++-
+ rpmio/CMakeLists.txt    |  2 +-
- rpmio/rpmpgp_internal.c | 15 +++++++++++++++
+ rpmio/rpmkeyring.c      |  7 +++++-
- rpmio/rpmpgp_sequoia.c  |  7 +++++++
+ rpmio/rpmpgp_internal.c | 15 +++++++++++++
- tests/rpmi.at           | 10 ++++++++--
+ rpmio/rpmpgp_sequoia.c  |  7 ++++++
- tests/rpmsigdig.at      | 20 +++++++++++++++++---
+ tests/rpmi.at           | 10 +++++++--
- 9 files changed, 95 insertions(+), 10 deletions(-)
+ tests/rpmsigdig.at      | 50 +++++++++++++++++++++++++++++++----------
 9 files changed, 116 insertions(+), 19 deletions(-)
-diff --git a/configure.ac b/configure.ac
+diff --git a/ci/Dockerfile b/ci/Dockerfile
-index e6676c581..1d173e4e2 100644
+index d8f808962..552934fcd 100644
--- a/configure.ac
+--- a/ci/Dockerfile
-+++ b/configure.ac
+++ b/ci/Dockerfile
-@@ -384,7 +384,7 @@ AC_SUBST(WITH_LIBGCRYPT_LIB)
+@@ -7,6 +7,8 @@ RUN sed -i -e "s:^enabled=.$:enabled=0:g" /etc/yum.repos.d/*openh264.repo
- WITH_RPM_SEQUOIA_INCLUDE=
+ # dummy for controlling per-repo gpgcheck via Semaphore setup
- WITH_RPM_SEQUOIA_LIB=
+ RUN sed -i -e "s:^gpgcheck=.$:gpgcheck=1:g" /etc/yum.repos.d/*.repo
- if test "$with_crypto" = sequoia ; then
+ RUN dnf -y update
-  PKG_CHECK_MODULES([RPM_SEQUOIA], [rpm-sequoia], [have_rpm_sequoia=yes], [have_rpm_sequoia=no])
+# until 1.4.0 lands in stable
-+  PKG_CHECK_MODULES([RPM_SEQUOIA], [rpm-sequoia >= 1.4.0], [have_rpm_sequoia=yes], [have_rpm_sequoia=no])
+RUN dnf -y --enablerepo=updates-testing install "rpm-sequoia-devel >= 1.4.0"
-   if test "$have_rpm_sequoia" = "yes"; then
+ RUN dnf -y install \
-      WITH_RPM_SEQUOIA_INCLUDE="$RPM_SEQUOIA_CFLAGS"
+   autoconf \
-      WITH_RPM_SEQUOIA_LIB="$RPM_SEQUOIA_LIBS"
+   cmake \
 diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h
-index a3238a643..3352129b8 100644
+index 87a2a5bd2..675cbad73 100644
 --- a/include/rpm/rpmpgp.h
 +++ b/include/rpm/rpmpgp.h
-@@ -1013,6 +1013,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid);
+@@ -1009,6 +1009,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid);
 int pgpPrtParams(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
 		 pgpDigParams * ret);
@ -65,9 +63,9 @@ index a3238a643..3352129b8 100644
 /** \ingroup rpmpgp
  * Parse subkey parameters from OpenPGP packet(s).
  * @param pkts		OpenPGP packet(s)
-@@ -1191,6 +1203,17 @@ const uint8_t *pgpDigParamsSignID(pgpDigParams digp);
+@@ -1186,6 +1198,17 @@ pgpDigParams pgpDigParamsFree(pgpDigParams digp);
  */
- const char *pgpDigParamsUserID(pgpDigParams digp);
+ rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx);
 +/** \ingroup rpmpgp
 + * Verify a PGP signature and return a error message or lint.
@ -81,8 +79,8 @@ index a3238a643..3352129b8 100644
 +                          char **lints);
 +
 /** \ingroup rpmpgp
-  * Retrieve the object's version.
+  * Return the type of a PGP signature. If `sig` is NULL, or is not a signature,
-  *
+  * returns -1.
 diff --git a/lib/rpmvs.c b/lib/rpmvs.c
 index a1425ea17..9b2106927 100644
 --- a/lib/rpmvs.c
@ -114,11 +112,24 @@ index a1425ea17..9b2106927 100644
 	}
 	sinfo->hashalgo = pgpDigParamsAlgo(sinfo->sig, PGPVAL_HASHALGO);
 	sinfo->keyid = pgpGrab(pgpDigParamsSignID(sinfo->sig)+4, 4);
 diff --git a/rpmio/CMakeLists.txt b/rpmio/CMakeLists.txt
 index 2fb5794b0..6aa9ab1f1 100644
 --- a/rpmio/CMakeLists.txt
 +++ b/rpmio/CMakeLists.txt
@@ -21,7 +21,7 @@ if (WITH_INTERNAL_OPENPGP)
 		target_link_libraries(librpmio PRIVATE PkgConfig::LIBGCRYPT)
 	endif()
 else()
 -	pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.3.0)
 +	pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.4.0)
 	target_sources(librpmio PRIVATE rpmpgp_sequoia.c)
 	target_link_libraries(librpmio PRIVATE PkgConfig::RPMSEQUOIA)
 endif()
 diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c
-index db72892d9..712004bc8 100644
+index 166ee43a2..e3eb9e6ea 100644
 --- a/rpmio/rpmkeyring.c
 +++ b/rpmio/rpmkeyring.c
-@@ -328,7 +328,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
+@@ -276,7 +276,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
 	    pgpkey = key->pgpkey;
 	/* We call verify even if key not found for a signature sanity check */
@ -133,10 +144,10 @@ index db72892d9..712004bc8 100644
     if (keyring)
 diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c
-index 0fcd220e4..a049c09b2 100644
+index ce1d3c27d..82972bcc8 100644
 --- a/rpmio/rpmpgp_internal.c
 +++ b/rpmio/rpmpgp_internal.c
-@@ -1095,6 +1095,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+@@ -1043,6 +1043,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
     return rc;
 }
@ -151,8 +162,8 @@ index 0fcd220e4..a049c09b2 100644
 int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
 			pgpDigParams mainkey, pgpDigParams **subkeys,
 			int *subkeysCount)
-@@ -1264,6 +1272,13 @@ rpmRC pgpVerifySig(pgpDig dig, DIGEST_CTX hashctx)
+@@ -1179,6 +1187,13 @@ exit:
- 			      pgpDigGetParams(dig, PGPTAG_SIGNATURE), hashctx);
+ 
 }
 +rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints)
@ -166,7 +177,7 @@ index 0fcd220e4..a049c09b2 100644
 {
     const char * enc = NULL;
 diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c
-index e01acd0e9..2141bbf30 100644
+index c6434270a..d0b673953 100644
 --- a/rpmio/rpmpgp_sequoia.c
 +++ b/rpmio/rpmpgp_sequoia.c
@@ -36,6 +36,9 @@ W(uint32_t, pgpDigParamsCreationTime, (pgpDigParams digp), (digp))
@ -191,10 +202,10 @@ index e01acd0e9..2141bbf30 100644
   (const uint8_t *pkts, size_t pktlen,
    pgpDigParams mainkey, pgpDigParams **subkeys,
 diff --git a/tests/rpmi.at b/tests/rpmi.at
-index 7c8f25eff..d67185d5b 100644
+index 9d74cf689..423d97bca 100644
 --- a/tests/rpmi.at
 +++ b/tests/rpmi.at
-@@ -254,7 +254,7 @@ AT_CLEANUP
+@@ -342,7 +342,7 @@ AT_CLEANUP
 AT_SETUP([rpm -U <corrupted signed 1>])
 AT_KEYWORDS([install])
@ -203,7 +214,7 @@ index 7c8f25eff..d67185d5b 100644
 RPMDB_INIT
 pkg="hello-2.0-1.x86_64-signed.rpm"
-@@ -267,7 +267,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \
+@@ -355,7 +355,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \
 ],
 [1],
 [],
@ -219,10 +230,93 @@ index 7c8f25eff..d67185d5b 100644
 ])
 AT_CLEANUP
 diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
-index 5b1c6c4a6..e5482735a 100644
+index 9fb3febc9..df1f669e4 100644
 --- a/tests/rpmsigdig.at
 +++ b/tests/rpmsigdig.at
-@@ -539,7 +539,7 @@ AT_CLEANUP
+@@ -386,17 +386,17 @@ AT_CHECK([
 RPMDB_INIT
 echo Checking package before importing key:
 -runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 +runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
 echo Importing key:
 -runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc; echo $?
 +runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc 2>&1; echo $?
 echo Checking for key:
 runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
 echo Checking package after importing key:
 -runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 +runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
 echo Checking package after importing key, no digest:
 -runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 +runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
 echo Checking package after importing key, no signature:
 -runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 +runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
 ],
 [0],
 [[Checking package before importing key:
@@ -416,6 +416,10 @@ Checking for key:
 Version     : eb04e625
 Checking package after importing key:
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
 +error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
 +  Key 1F71177215217EE0 invalid: key is not alive
 +      because: The subkey is not live
 +      because: Expired on 2022-04-12T00:00:15Z
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
     Header DSA signature: NOTFOUND
     Header SHA256 digest: OK
@@ -427,6 +431,10 @@ Checking package after importing key:
 1
 Checking package after importing key, no digest:
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
 +error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
 +  Key 1F71177215217EE0 invalid: key is not alive
 +      because: The subkey is not live
 +      because: Expired on 2022-04-12T00:00:15Z
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
     Header DSA signature: NOTFOUND
     RSA signature: NOTFOUND
@@ -455,15 +463,15 @@ RPMDB_INIT
 echo Checking package before importing key:
 runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 echo Importing key:
 -runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc; echo $?
 +runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc 2>&1; echo $?
 echo Checking for key:
 runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
 echo Checking package after importing key:
 -runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 +runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
 echo Checking package after importing key, no digest:
 -runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 +runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
 echo Checking package after importing key, no signature:
 -runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
 +runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
 ],
 [0],
 [[Checking package before importing key:
@@ -483,6 +491,8 @@ Checking for key:
 Version     : eb04e625
 Checking package after importing key:
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
 +error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
 +  Key 1F71177215217EE0 is invalid: key is revoked
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
     Header DSA signature: NOTFOUND
     Header SHA256 digest: OK
@@ -494,6 +504,8 @@ Checking package after importing key:
 1
 Checking package after importing key, no digest:
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
 +error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
 +  Key 1F71177215217EE0 is invalid: key is revoked
     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
     Header DSA signature: NOTFOUND
     RSA signature: NOTFOUND
@@ -740,7 +752,7 @@ AT_CLEANUP
 # Test pre-built corrupted package verification (corrupted signature)
 AT_SETUP([rpmkeys -Kv <corrupted signed> 1])
 AT_KEYWORDS([rpmkeys digest signature])
@ -231,7 +325,7 @@ index 5b1c6c4a6..e5482735a 100644
 RPMDB_INIT
 pkg="hello-2.0-1.x86_64-signed.rpm"
-@@ -553,14 +553,28 @@ runroot rpmkeys -Kv /tmp/${pkg}
+@@ -754,14 +766,28 @@ runroot rpmkeys -Kv /tmp/${pkg}
 ],
 [1],
 [/tmp/hello-2.0-1.x86_64-signed.rpm:
@ -263,5 +357,5 @@ index 5b1c6c4a6..e5482735a 100644
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
 -- 
-2.40.0
+2.40.1
--- a/0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch
+++ b/0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch
@ -0,0 +1,139 @@
 From 9a9514e665c30554a4d72c7c79475af315b83dc3 Mon Sep 17 00:00:00 2001
 Message-Id: <9a9514e665c30554a4d72c7c79475af315b83dc3.1683531413.git.pmatilai@redhat.com>
 From: Panu Matilainen <pmatilai@redhat.com>
 Date: Mon, 8 May 2023 09:26:46 +0300
 Subject: [PATCH] Forward-port obsoleted crypto needed by current libdnf
 Provide the minimum required bits to allow the old PackageKit-inherited
 signature in libdnf to work until the switch to dnf5 happens, allegedly
 during this release cycle.
 ---
 include/rpm/rpmkeyring.h |  4 ++++
 include/rpm/rpmpgp.h     | 15 ++++++++++++
 rpmio/rpmkeyring.c       | 52 ++++++++++++++++++++++++++++++++++++++++
 rpmio/rpmpgp_sequoia.c   | 11 +++++++++
 4 files changed, 82 insertions(+)
 diff --git a/include/rpm/rpmkeyring.h b/include/rpm/rpmkeyring.h
 index 3d8d55773..c84292ff8 100644
 --- a/include/rpm/rpmkeyring.h
 +++ b/include/rpm/rpmkeyring.h
@@ -101,6 +101,10 @@ char * rpmPubkeyBase64(rpmPubkey key);
  */
 pgpDigParams rpmPubkeyPgpDigParams(rpmPubkey key);
 +/* Obsolete APIs required by libdnf, do not use */
 +rpmRC rpmKeyringLookup(rpmKeyring keyring, pgpDig sig);
 +pgpDig rpmPubkeyDig(rpmPubkey key);
 +
 #ifdef __cplusplus
 }
 #endif
 diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h
 index 675cbad73..f83642c18 100644
 --- a/include/rpm/rpmpgp.h
 +++ b/include/rpm/rpmpgp.h
@@ -1225,6 +1225,21 @@ int pgpSignatureType(pgpDigParams sig);
  */
 char *pgpIdentItem(pgpDigParams digp);
 +/* Obsolete APIs required by libdnf, do not use */
 +typedef struct pgpDig_s * pgpDig;
 +
 +RPM_GNUC_DEPRECATED
 +pgpDig pgpNewDig(void);
 +
 +RPM_GNUC_DEPRECATED
 +pgpDig pgpFreeDig(pgpDig dig);
 +
 +RPM_GNUC_DEPRECATED
 +pgpDigParams pgpDigGetParams(pgpDig dig, unsigned int pkttype);
 +
 +RPM_GNUC_DEPRECATED
 +int pgpPrtPkts(const uint8_t *pkts, size_t pktlen, pgpDig dig, int printing);
 +
 #ifdef __cplusplus
 }
 #endif
 diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c
 index e3eb9e6ea..464163895 100644
 --- a/rpmio/rpmkeyring.c
 +++ b/rpmio/rpmkeyring.c
@@ -289,3 +289,55 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
     return rc;
 }
 +
 +rpmRC rpmKeyringLookup(rpmKeyring keyring, pgpDig sig)
 +{
 +    pthread_rwlock_rdlock(&keyring->lock);
 +
 +    rpmRC res = RPMRC_NOKEY;
 +    pgpDigParams sigp = pgpDigGetParams(sig, PGPTAG_SIGNATURE);
 +    rpmPubkey key = findbySig(keyring, sigp);
 +
 +    if (key) {
 +	/*
 + 	 * Callers expect sig to have the key data parsed into pgpDig
 + 	 * on (successful) return, sigh. No need to check for return
 + 	 * here as this is validated at rpmPubkeyNew() already.
 + 	 */
 +	pgpPrtPkts(key->pkt, key->pktlen, sig, _print_pkts);
 +	res = RPMRC_OK;
 +    }
 +
 +    pthread_rwlock_unlock(&keyring->lock);
 +    return res;
 +}
 +
 +pgpDig rpmPubkeyDig(rpmPubkey key)
 +{
 +    pgpDig dig = NULL;
 +    static unsigned char zeros[] = 
 +	{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
 +    int rc;
 +    if (key == NULL)
 +	return NULL;
 +
 +    dig = pgpNewDig();
 +
 +    pthread_rwlock_rdlock(&key->lock);
 +    rc = pgpPrtPkts(key->pkt, key->pktlen, dig, _print_pkts);
 +    pthread_rwlock_unlock(&key->lock);
 +
 +    if (rc == 0) {
 +	pgpDigParams pubp = pgpDigGetParams(dig, PGPTAG_PUBLIC_KEY);
 +	if (!pubp || !memcmp(pgpDigParamsSignID(pubp), zeros, sizeof(zeros)) ||
 +            pgpDigParamsCreationTime(pubp) == 0 ||
 +            pgpDigParamsUserID(pubp) == NULL) {
 +	    rc = -1;
 +	}
 +    }
 +
 +    if (rc)
 +	dig = pgpFreeDig(dig);
 +
 +    return dig;
 +}
 diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c
 index d0b673953..0c1c848dc 100644
 --- a/rpmio/rpmpgp_sequoia.c
 +++ b/rpmio/rpmpgp_sequoia.c
@@ -80,3 +80,14 @@ W(int, rpmDigestUpdate, (DIGEST_CTX ctx, const void * data, size_t len),
 W(int, rpmDigestFinal,
   (DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii),
   (ctx, datap, lenp, asAscii))
 +
 +// Minimal backport of APIs required by libdnf until dnf5 takes over
 +W(int, pgpPrtPkts,
 +  (const uint8_t *pkts, size_t pktlen, pgpDig dig, int printing),
 +  (pkts, pktlen, dig, printing))
 +W(pgpDig, pgpNewDig, (void), ())
 +W(pgpDig, pgpFreeDig, (pgpDig dig), (dig))
 +W(pgpDigParams, pgpDigGetParams,
 +  (pgpDig dig, unsigned int pkttype),
 +  (dig, pkttype))
 +
 -- 
 2.40.1
--- a/0001-Remove-second-share-dir-from-infodir-and-mandir.patch
+++ b/0001-Remove-second-share-dir-from-infodir-and-mandir.patch
@ -0,0 +1,31 @@
 From 33702961f45567a599bc0f0dac055604dc204fb1 Mon Sep 17 00:00:00 2001
 From: Florian Festi <ffesti@redhat.com>
 Date: Tue, 2 May 2023 09:03:50 +0200
 Subject: [PATCH] Remove second share/ dir from infodir and mandir
 cmake variables and the derived macros.
 CMAKE_INSTALL_INFODIR and  CMAKE_INSTALL_MANDIR already include the
 datarootdir. So just prepending the prefix is sufficient.
 ---
 CMakeLists.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/CMakeLists.txt b/CMakeLists.txt
 index 230d18d1f..9718505bf 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
@@ -67,8 +67,8 @@ function(makemacros)
 	set(libdir "\${prefix}/=LIB=")
 	set(includedir "\${prefix}/${CMAKE_INSTALL_INCLUDEDIR}")
 	set(oldincludedir "${CMAKE_INSTALL_FULL_OLDINCLUDEDIR}")
 -	set(infodir "\${datarootdir}/${CMAKE_INSTALL_INFODIR}")
 -	set(mandir "\${datarootdir}/${CMAKE_INSTALL_MANDIR}")
 +	set(infodir "\${prefix}/${CMAKE_INSTALL_INFODIR}")
 +	set(mandir "\${prefix}/${CMAKE_INSTALL_MANDIR}")
 	set(RUNDIR /run)
 	set(acutils
 -- 
 2.40.1
--- a/rpm-4.18.90-disable-sysusers.patch
+++ b/rpm-4.18.90-disable-sysusers.patch
@ -0,0 +1,11 @@
 --- rpm-4.18.90/macros.in.orig	2023-04-17 14:44:14.186653076 +0200
 +++ rpm-4.18.90/macros.in	2023-04-17 14:46:25.190322631 +0200
@@ -133,7 +133,7 @@
 %_keyringpath		%{_dbpath}/pubkeys/
 # sysusers helper binary or script, uncomment to disable
 -%__systemd_sysusers	%{_bindir}/systemd-sysusers
 +# %__systemd_sysusers	%{_bindir}/systemd-sysusers
 #
 #	Path to script that creates debug symbols in a /usr/lib/debug
--- a/rpm-4.18.90-weak-user-group.patch
+++ b/rpm-4.18.90-weak-user-group.patch
@ -0,0 +1,11 @@
 --- rpm-4.18.90/macros.in.orig	2023-04-17 14:48:14.802719586 +0200
 +++ rpm-4.18.90/macros.in	2023-04-17 14:48:25.268852972 +0200
@@ -236,7 +236,7 @@
 %clamp_mtime_to_source_date_epoch 0
 #	If enabled, dilute user() and group() requires into recommends
 -#%_use_weak_usergroup_deps 1
 +%_use_weak_usergroup_deps 1
 #	The directory where newly built binary packages will be written.
 %_rpmdir		%{_topdir}/RPMS
--- a/rpm-4.18.x-ldflags.patch
+++ b/rpm-4.18.x-ldflags.patch
@ -1,7 +1,7 @@
 diff -up rpm-4.18.1/macros.in.orig rpm-4.18.1/macros.in
 --- rpm-4.18.1/macros.in.orig	2023-03-15 13:57:06.385361527 +0100
 +++ rpm-4.18.1/macros.in	2023-03-15 13:58:09.613971713 +0100
-@@ -727,10 +727,11 @@ package or when debugging this package.\
+@@ -750,11 +750,12 @@ package or when debugging this package.\
   RPM_SOURCE_DIR=\"%{_sourcedir}\"\
   RPM_BUILD_DIR=\"%{_builddir}\"\
   RPM_OPT_FLAGS=\"%{optflags}\"\
@ -9,8 +9,9 @@ diff -up rpm-4.18.1/macros.in.orig rpm-4.18.1/macros.in
   RPM_ARCH=\"%{_arch}\"\
   RPM_OS=\"%{_os}\"\
   RPM_BUILD_NCPUS=\"%{_smp_build_ncpus}\"\
-  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS\
+   RPM_SPECPARTS_DIR=\"%{specpartsdir}\"\
-+  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_LD_FLAGS\
+-  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_SPECPARTS_DIR\
 +  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_SPECPARTS_DIR RPM_LD_FLAGS\
   RPM_DOC_DIR=\"%{_docdir}\"\
   export RPM_DOC_DIR\
   RPM_PACKAGE_NAME=\"%{NAME}\"\
--- a/rpm-4.18.x-revert-pandoc-cond.patch
+++ b/rpm-4.18.x-revert-pandoc-cond.patch
@ -1,12 +0,0 @@
 diff -up rpm-4.18.1/docs/Makefile.am.orig rpm-4.18.1/docs/Makefile.am
 --- rpm-4.18.1/docs/Makefile.am.orig	2023-03-15 14:48:27.955720807 +0100
 +++ rpm-4.18.1/docs/Makefile.am	2023-03-15 14:48:43.634626934 +0100
@@ -1,8 +1,6 @@
 ## Process this file with automake to produce Makefile.in
 -if PANDOC
 SUBDIRS = man
 -endif
 EXTRA_DIST =
--- a/rpm.spec
+++ b/rpm.spec
@ -30,10 +30,10 @@
 %define rpmhome /usr/lib/rpm
-%global rpmver 4.18.1
+%global rpmver 4.18.90
 #global snapver rc1
-%global baserelease 3
+%global baserelease 1
-%global sover 9
+%global sover 10
 %global srcver %{rpmver}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:rpm-%(echo %{rpmver} | cut -d'.' -f1-2).x}
@ -69,6 +69,7 @@ BuildRequires: debugedit >= 0.3
 BuildRequires: redhat-rpm-config >= 94
 BuildRequires: systemd-rpm-macros
 BuildRequires: gcc make
 BuildRequires: cmake >= 3.18
 BuildRequires: gawk
 BuildRequires: elfutils-devel >= 0.112
 BuildRequires: elfutils-libelf-devel
@ -95,6 +96,15 @@ BuildRequires: libzstd-devel
 BuildRequires: sqlite-devel
 %endif
 # Needed for re-building the documentation and man pages
 # normally those are shipped in the tarball pre-build
 # but need re-building if sources are patched
 %if 0
 BuildRequires: pandoc
 BuildRequires: doxygen
 %endif
 %if %{with sequoia}
 %global crypto sequoia
 BuildRequires: rpm-sequoia-devel >= 1.4.0
@ -132,17 +142,22 @@ rpm-4.17.x-rpm_dbpath.patch
 rpm-4.18.x-siteconfig.patch
 # In current Fedora, man-pages pkg owns all the localized man directories
 rpm-4.9.90-no-man-dirs.patch
 # Disable new user/group handling
 rpm-4.18.90-disable-sysusers.patch
 rpm-4.18.90-weak-user-group.patch
 # Patches already upstream:
 # ...
 0001-Remove-second-share-dir-from-infodir-and-mandir.patch
 0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch
 # These are not yet upstream
 rpm-4.7.1-geode-i686.patch
 # Probably to be upstreamed in slightly different form
 rpm-4.18.x-ldflags.patch
-# We either need pandoc in buildroot or this patch in order for man pages to
+
-# actually be installed, choose the latter
+# Needed until dnf catches up
-rpm-4.18.x-revert-pandoc-cond.patch
+0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch
 %description
 The RPM Package Manager (RPM) is a powerful command line driven
@ -288,12 +303,14 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
 This plugin blocks systemd from entering idle, sleep or shutdown while an rpm
 transaction is running using the systemd-inhibit mechanism.
 %if %{with libimaevm}
 %package plugin-ima
 Summary: Rpm plugin ima file signatures
 Requires: rpm-libs%{_isa} = %{version}-%{release}
 %description plugin-ima
 %{summary}.
 %endif
 %package plugin-prioreset
 Summary: Rpm plugin for resetting scriptlet priorities for SysV init
@ -351,44 +368,35 @@ change.
 %build
 %set_build_flags
-autoreconf -i -f
+mkdir _build
-
+cd _build
-# Hardening hack taken from macro %%configure defined in redhat-rpm-config
+cmake \
-for i in $(find . -name ltmain.sh) ; do
+      -DCMAKE_INSTALL_PREFIX=%{_usr} \
-     %{__sed} -i.backup -e 's~compiler_flags=$~compiler_flags="%{_hardened_ldflags}"~' $i
+      %{?with_bdb_ro:-DENABLE_BDB_RO=ON} \
-done;
+      %{!?with_ndb:-DENABLE_NDB=OFF} \
-
+      %{!?with_sqlite:-DENABLE_SQLITE=OFF} \
-# Using configure macro has some unwanted side-effects on rpm platform
+      %{!?with_plugins:-DENABLE_PLUGINS=OFF} \
-# setup, use the old-fashioned way for now only defining minimal paths.
+      %{?with_fsverity:-DWITH_FSVERITY=ON} \
-./configure \
+      %{?with_libimaevm:-DWITH_IMAEVM=ON} \
-    --prefix=%{_usr} \
+      %{!?with_libarchive:-DWITH_ARCHIVE=OFF} \
-    --sysconfdir=%{_sysconfdir} \
+      %{!?with_check:-DENABLE_TESTSUITE=OFF} \
-    --localstatedir=%{_var} \
+      %{!?with_sequoia:-DWITH_INTERNAL_OPENPGP=ON} \
-    --sharedstatedir=%{_var}/lib \
+      %{!?with_sequoia:-DWITH_OPENSSL=ON } \
-    --libdir=%{_libdir} \
+      -DRPM_VENDOR=redhat \
-    --build=%{_target_platform} \
+  ..
    --host=%{_target_platform} \
    --with-vendor=redhat \
    %{!?with_plugins: --disable-plugins} \
    --with-lua \
    --with-selinux \
    --with-cap \
    --with-acl \
    --with-fapolicyd \
    %{?with_ndb: --enable-ndb} \
    %{?with_libimaevm: --with-imaevm} \
    %{?with_fsverity: --with-fsverity} \
    %{?with_zstd: --enable-zstd} \
    %{?with_sqlite: --enable-sqlite} \
    %{?with_bdb_ro: --enable-bdb-ro} \
    --enable-python \
    --with-crypto=%{crypto}
 %make_build
 %install
 cd _build
 %make_install
 # temporarily remove useser handling fileattr
 # as it is currently in systemd-rpm-macros
 rm $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/sysusers.attr
 cd ..
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}
 install -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}
 install -m 644 %{SOURCE20} $RPM_BUILD_ROOT/%{_unitdir}
@ -406,10 +414,12 @@ install -m 644 scripts/rpm.log ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/rpm
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rpm
 mkdir -p $RPM_BUILD_ROOT%{rpmhome}/macros.d
 mkdir -p $RPM_BUILD_ROOT/usr/lib/sysimage/rpm
 cd _build
 # init an empty database for %ghost'ing for all supported backends
 for be in %{?with_ndb:ndb} %{?with_sqlite:sqlite}; do
-    ./rpmdb --define "_db_backend ${be}" --dbpath=${PWD}/${be} --initdb
+    mkdir ${be}
    ./rpmdb --rcfile rpmrc --define "_db_backend ${be}" --dbpath=${PWD}/${be} --initdb
    cp -va ${be}/. $RPM_BUILD_ROOT/usr/lib/sysimage/rpm/
 done
@ -427,6 +437,7 @@ rm -rf $RPM_BUILD_ROOT/var/tmp
 %if %{with check}
 %check
 cd _build
 make check TESTSUITEFLAGS=-j%{_smp_build_ncpus} || (cat tests/rpmtests.log; exit 1)
 # rpm >= 4.16.0 testsuite leaves a read-only tree behind, clean it up
 make clean
@ -457,9 +468,13 @@ if [ ! -d /var/lib/rpm ] && [ -d /usr/lib/sysimage/rpm ] && [ ! -f /usr/lib/sysi
    touch /usr/lib/sysimage/rpm/.rpmdbdirsymlink_created
 fi
-%files -f rpm.lang
+%files -f _build/rpm.lang
 %license COPYING
 %doc CREDITS docs/manual/[a-z]*
 %doc %{_defaultdocdir}/rpm/CONTRIBUTING.md
 %doc %{_defaultdocdir}/rpm/COPYING
 %doc %{_defaultdocdir}/rpm/INSTALL
 %doc %{_defaultdocdir}/rpm/README
 %{_unitdir}/rpmdb-rebuild.service
 %{_unitdir}/rpmdb-migrate.service
@ -477,6 +492,7 @@ fi
 %{_bindir}/rpmkeys
 %{_bindir}/rpmquery
 %{_bindir}/rpmverify
 %{_bindir}/rpmsort
 %{_mandir}/man8/rpm.8*
 %{_mandir}/man8/rpmdb.8*
@ -484,16 +500,9 @@ fi
 %{_mandir}/man8/rpm2archive.8*
 %{_mandir}/man8/rpm2cpio.8*
 %{_mandir}/man8/rpm-misc.8*
 %{_mandir}/man8/rpmsort.8*
 %{_mandir}/man8/rpm-plugins.8*
 # XXX this places translated manuals to wrong package wrt eg rpmbuild
 %lang(fr) %{_mandir}/fr/man[18]/*.[18]*
 %lang(ko) %{_mandir}/ko/man[18]/*.[18]*
 %lang(ja) %{_mandir}/ja/man[18]/*.[18]*
 %lang(pl) %{_mandir}/pl/man[18]/*.[18]*
 %lang(ru) %{_mandir}/ru/man[18]/*.[18]*
 %lang(sk) %{_mandir}/sk/man[18]/*.[18]*
 %attr(0755, root, root) %dir %{rpmhome}
 %{rpmhome}/macros
 %{rpmhome}/macros.d
@ -532,9 +541,11 @@ fi
 %{_libdir}/rpm-plugins/systemd_inhibit.so
 %{_mandir}/man8/rpm-plugin-systemd-inhibit.8*
 %if %{with libimaevm}
 %files plugin-ima
 %{_libdir}/rpm-plugins/ima.so
 %{_mandir}/man8/rpm-plugin-ima.8*
 %endif
 %files plugin-fsverity
 %{_libdir}/rpm-plugins/fsverity.so
@ -586,7 +597,6 @@ fi
 %{rpmhome}/*deps*
 %{rpmhome}/*.prov
 %{rpmhome}/*.req
 %{rpmhome}/mkinstalldirs
 %{rpmhome}/fileattrs/*
 %{rpmhome}/find-debuginfo.sh
 %{rpmhome}/rpmuncompress
@ -615,9 +625,12 @@ fi
 %files apidocs
 %license COPYING
-%doc docs/librpm/html/*
+%doc %{_defaultdocdir}/rpm/API/
 %changelog
 * Thu May 04 2023 Florian Festi <ffesti@redhat.com> - 4.18.90-1
 - Update to 4.19 alpha
 * Tue Apr 25 2023 Miro Hrončok <mhroncok@redhat.com> - 4.18.1-3
 - Explicitly require rpm-sequoia >= 1.4.0 on runtime to avoid
  rpm: symbol lookup error: /lib64/librpmio.so.9: undefined symbol: _pgpVerifySignature2
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (rpm-4.18.1.tar.bz2) = 0ede2138b9b4c3b50d7e914cf82655507fcc207ba67804c749ea17560002976cb26b95801e9138a51589b60459494a991213a1131dbef5af2eca9b5050a4f29c
+SHA512 (rpm-4.18.90.tar.bz2) = 2d1a499fe053c5f3497b0ae4c133ef3b05b4b87e12ee5d349ad8c34dbfaebc20c1b3e6727143c152040ed1e132047bcf95afcbbe4a8cb2c4f91900b536d7821c
`@ -1 +1 @@`
	`SHA512 (rpm-4.18.1.tar.bz2) = 0ede2138b9b4c3b50d7e914cf82655507fcc207ba67804c749ea17560002976cb26b95801e9138a51589b60459494a991213a1131dbef5af2eca9b5050a4f29c`	`SHA512 (rpm-4.18.90.tar.bz2) = 2d1a499fe053c5f3497b0ae4c133ef3b05b4b87e12ee5d349ad8c34dbfaebc20c1b3e6727143c152040ed1e132047bcf95afcbbe4a8cb2c4f91900b536d7821c`