Update to 4.19 alpha2
This commit is contained in:
parent
096af0fd5f
commit
4c1728e423
1
.gitignore
vendored
1
.gitignore
vendored
@ -57,3 +57,4 @@
|
|||||||
/rpm-4.18.0.tar.bz2
|
/rpm-4.18.0.tar.bz2
|
||||||
/rpm-4.18.1.tar.bz2
|
/rpm-4.18.1.tar.bz2
|
||||||
/rpm-4.18.90.tar.bz2
|
/rpm-4.18.90.tar.bz2
|
||||||
|
/rpm-4.18.91.tar.bz2
|
||||||
|
@ -1,361 +0,0 @@
|
|||||||
From 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Neal H. Walfield" <neal@pep.foundation>
|
|
||||||
Date: Wed, 12 Apr 2023 17:56:19 +0200
|
|
||||||
Subject: [PATCH] Add pgpVerifySignature2() and pgpPrtParams2()
|
|
||||||
|
|
||||||
Add new functions pgpVerifySignature2() and pgpPrtParams2(), which are
|
|
||||||
like their earlier versions, but optionally return descriptive error
|
|
||||||
messages (in the case of failure) or lints (in the case of success).
|
|
||||||
Adjust tests accordingly.
|
|
||||||
|
|
||||||
This requires rpm-sequoia 1.4 or later.
|
|
||||||
|
|
||||||
See https://github.com/rpm-software-management/rpm-sequoia/issues/39
|
|
||||||
and
|
|
||||||
https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1482646398
|
|
||||||
|
|
||||||
Fixes #2483.
|
|
||||||
---
|
|
||||||
ci/Dockerfile | 2 ++
|
|
||||||
include/rpm/rpmpgp.h | 23 +++++++++++++++++++
|
|
||||||
lib/rpmvs.c | 19 +++++++++++++---
|
|
||||||
rpmio/CMakeLists.txt | 2 +-
|
|
||||||
rpmio/rpmkeyring.c | 7 +++++-
|
|
||||||
rpmio/rpmpgp_internal.c | 15 +++++++++++++
|
|
||||||
rpmio/rpmpgp_sequoia.c | 7 ++++++
|
|
||||||
tests/rpmi.at | 10 +++++++--
|
|
||||||
tests/rpmsigdig.at | 50 +++++++++++++++++++++++++++++++----------
|
|
||||||
9 files changed, 116 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ci/Dockerfile b/ci/Dockerfile
|
|
||||||
index d8f808962..552934fcd 100644
|
|
||||||
--- a/ci/Dockerfile
|
|
||||||
+++ b/ci/Dockerfile
|
|
||||||
@@ -7,6 +7,8 @@ RUN sed -i -e "s:^enabled=.$:enabled=0:g" /etc/yum.repos.d/*openh264.repo
|
|
||||||
# dummy for controlling per-repo gpgcheck via Semaphore setup
|
|
||||||
RUN sed -i -e "s:^gpgcheck=.$:gpgcheck=1:g" /etc/yum.repos.d/*.repo
|
|
||||||
RUN dnf -y update
|
|
||||||
+# until 1.4.0 lands in stable
|
|
||||||
+RUN dnf -y --enablerepo=updates-testing install "rpm-sequoia-devel >= 1.4.0"
|
|
||||||
RUN dnf -y install \
|
|
||||||
autoconf \
|
|
||||||
cmake \
|
|
||||||
diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h
|
|
||||||
index 87a2a5bd2..675cbad73 100644
|
|
||||||
--- a/include/rpm/rpmpgp.h
|
|
||||||
+++ b/include/rpm/rpmpgp.h
|
|
||||||
@@ -1009,6 +1009,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid);
|
|
||||||
int pgpPrtParams(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
|
|
||||||
pgpDigParams * ret);
|
|
||||||
|
|
||||||
+/** \ingroup rpmpgp
|
|
||||||
+ * Parse a OpenPGP packet(s).
|
|
||||||
+ * @param pkts OpenPGP packet(s)
|
|
||||||
+ * @param pktlen OpenPGP packet(s) length (no. of bytes)
|
|
||||||
+ * @param pkttype Expected packet type (signature/key) or 0 for any
|
|
||||||
+ * @param[out] ret signature/pubkey packet parameters on success (alloced)
|
|
||||||
+ * @param[out] lints error messages and lints
|
|
||||||
+ * @return -1 on error, 0 on success
|
|
||||||
+ */
|
|
||||||
+int pgpPrtParams2(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
|
|
||||||
+ pgpDigParams * ret, char **lints);
|
|
||||||
+
|
|
||||||
/** \ingroup rpmpgp
|
|
||||||
* Parse subkey parameters from OpenPGP packet(s).
|
|
||||||
* @param pkts OpenPGP packet(s)
|
|
||||||
@@ -1186,6 +1198,17 @@ pgpDigParams pgpDigParamsFree(pgpDigParams digp);
|
|
||||||
*/
|
|
||||||
rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx);
|
|
||||||
|
|
||||||
+/** \ingroup rpmpgp
|
|
||||||
+ * Verify a PGP signature and return a error message or lint.
|
|
||||||
+ * @param key public key
|
|
||||||
+ * @param sig signature
|
|
||||||
+ * @param hashctx digest context
|
|
||||||
+ * @param lints error messages and lints
|
|
||||||
+ * @return RPMRC_OK on success
|
|
||||||
+ */
|
|
||||||
+rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx,
|
|
||||||
+ char **lints);
|
|
||||||
+
|
|
||||||
/** \ingroup rpmpgp
|
|
||||||
* Return the type of a PGP signature. If `sig` is NULL, or is not a signature,
|
|
||||||
* returns -1.
|
|
||||||
diff --git a/lib/rpmvs.c b/lib/rpmvs.c
|
|
||||||
index a1425ea17..9b2106927 100644
|
|
||||||
--- a/lib/rpmvs.c
|
|
||||||
+++ b/lib/rpmvs.c
|
|
||||||
@@ -193,10 +193,23 @@ static void rpmsinfoInit(const struct vfyinfo_s *vinfo,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (sinfo->type == RPMSIG_SIGNATURE_TYPE) {
|
|
||||||
- if (pgpPrtParams(data, dlen, PGPTAG_SIGNATURE, &sinfo->sig)) {
|
|
||||||
- rasprintf(&sinfo->msg, _("%s tag %u: invalid OpenPGP signature"),
|
|
||||||
- origin, td->tag);
|
|
||||||
+ char *lints = NULL;
|
|
||||||
+ int ec = pgpPrtParams2(data, dlen, PGPTAG_SIGNATURE, &sinfo->sig, &lints);
|
|
||||||
+ if (ec) {
|
|
||||||
+ if (lints) {
|
|
||||||
+ rasprintf(&sinfo->msg,
|
|
||||||
+ ("%s tag %u: invalid OpenPGP signature: %s"),
|
|
||||||
+ origin, td->tag, lints);
|
|
||||||
+ free(lints);
|
|
||||||
+ } else {
|
|
||||||
+ rasprintf(&sinfo->msg,
|
|
||||||
+ _("%s tag %u: invalid OpenPGP signature"),
|
|
||||||
+ origin, td->tag);
|
|
||||||
+ }
|
|
||||||
goto exit;
|
|
||||||
+ } else if (lints) {
|
|
||||||
+ rpmlog(RPMLOG_WARNING, "%s\n", lints);
|
|
||||||
+ free(lints);
|
|
||||||
}
|
|
||||||
sinfo->hashalgo = pgpDigParamsAlgo(sinfo->sig, PGPVAL_HASHALGO);
|
|
||||||
sinfo->keyid = pgpGrab(pgpDigParamsSignID(sinfo->sig)+4, 4);
|
|
||||||
diff --git a/rpmio/CMakeLists.txt b/rpmio/CMakeLists.txt
|
|
||||||
index 2fb5794b0..6aa9ab1f1 100644
|
|
||||||
--- a/rpmio/CMakeLists.txt
|
|
||||||
+++ b/rpmio/CMakeLists.txt
|
|
||||||
@@ -21,7 +21,7 @@ if (WITH_INTERNAL_OPENPGP)
|
|
||||||
target_link_libraries(librpmio PRIVATE PkgConfig::LIBGCRYPT)
|
|
||||||
endif()
|
|
||||||
else()
|
|
||||||
- pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.3.0)
|
|
||||||
+ pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.4.0)
|
|
||||||
target_sources(librpmio PRIVATE rpmpgp_sequoia.c)
|
|
||||||
target_link_libraries(librpmio PRIVATE PkgConfig::RPMSEQUOIA)
|
|
||||||
endif()
|
|
||||||
diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c
|
|
||||||
index 166ee43a2..e3eb9e6ea 100644
|
|
||||||
--- a/rpmio/rpmkeyring.c
|
|
||||||
+++ b/rpmio/rpmkeyring.c
|
|
||||||
@@ -276,7 +276,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
|
|
||||||
pgpkey = key->pgpkey;
|
|
||||||
|
|
||||||
/* We call verify even if key not found for a signature sanity check */
|
|
||||||
- rc = pgpVerifySignature(pgpkey, sig, ctx);
|
|
||||||
+ char *lints = NULL;
|
|
||||||
+ rc = pgpVerifySignature2(pgpkey, sig, ctx, &lints);
|
|
||||||
+ if (lints) {
|
|
||||||
+ rpmlog(rc ? RPMLOG_ERR : RPMLOG_WARNING, "%s\n", lints);
|
|
||||||
+ free(lints);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if (keyring)
|
|
||||||
diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c
|
|
||||||
index ce1d3c27d..82972bcc8 100644
|
|
||||||
--- a/rpmio/rpmpgp_internal.c
|
|
||||||
+++ b/rpmio/rpmpgp_internal.c
|
|
||||||
@@ -1043,6 +1043,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int pgpPrtParams2(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
|
|
||||||
+ pgpDigParams * ret, char **lints)
|
|
||||||
+{
|
|
||||||
+ if (lints)
|
|
||||||
+ *lints = NULL;
|
|
||||||
+ return pgpPrtParams(pkts, pktlen, pkttype, ret);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
|
|
||||||
pgpDigParams mainkey, pgpDigParams **subkeys,
|
|
||||||
int *subkeysCount)
|
|
||||||
@@ -1179,6 +1187,13 @@ exit:
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
+rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints)
|
|
||||||
+{
|
|
||||||
+ if (lints)
|
|
||||||
+ *lints = NULL;
|
|
||||||
+ return pgpVerifySignature(key, sig, hashctx);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static pgpArmor decodePkts(uint8_t *b, uint8_t **pkt, size_t *pktlen)
|
|
||||||
{
|
|
||||||
const char * enc = NULL;
|
|
||||||
diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c
|
|
||||||
index c6434270a..d0b673953 100644
|
|
||||||
--- a/rpmio/rpmpgp_sequoia.c
|
|
||||||
+++ b/rpmio/rpmpgp_sequoia.c
|
|
||||||
@@ -36,6 +36,9 @@ W(uint32_t, pgpDigParamsCreationTime, (pgpDigParams digp), (digp))
|
|
||||||
W(rpmRC, pgpVerifySignature,
|
|
||||||
(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx),
|
|
||||||
(key, sig, hashctx))
|
|
||||||
+W(rpmRC, pgpVerifySignature2,
|
|
||||||
+ (pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints),
|
|
||||||
+ (key, sig, hashctx, lints))
|
|
||||||
W(int, pgpPubkeyKeyID,
|
|
||||||
(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid),
|
|
||||||
(pkt, pktlen, keyid))
|
|
||||||
@@ -51,6 +54,10 @@ W(int, pgpPubKeyCertLen,
|
|
||||||
W(int, pgpPrtParams,
|
|
||||||
(const uint8_t *pkts, size_t pktlen, unsigned int pkttype, pgpDigParams *ret),
|
|
||||||
(pkts, pktlen, pkttype, ret))
|
|
||||||
+W(int, pgpPrtParams2,
|
|
||||||
+ (const uint8_t *pkts, size_t pktlen, unsigned int pkttype, pgpDigParams *ret,
|
|
||||||
+ char **lints),
|
|
||||||
+ (pkts, pktlen, pkttype, ret, lints))
|
|
||||||
W(int, pgpPrtParamsSubkeys,
|
|
||||||
(const uint8_t *pkts, size_t pktlen,
|
|
||||||
pgpDigParams mainkey, pgpDigParams **subkeys,
|
|
||||||
diff --git a/tests/rpmi.at b/tests/rpmi.at
|
|
||||||
index 9d74cf689..423d97bca 100644
|
|
||||||
--- a/tests/rpmi.at
|
|
||||||
+++ b/tests/rpmi.at
|
|
||||||
@@ -342,7 +342,7 @@ AT_CLEANUP
|
|
||||||
|
|
||||||
AT_SETUP([rpm -U <corrupted signed 1>])
|
|
||||||
AT_KEYWORDS([install])
|
|
||||||
-AT_CHECK([
|
|
||||||
+AT_CHECK_UNQUOTED([
|
|
||||||
RPMDB_INIT
|
|
||||||
|
|
||||||
pkg="hello-2.0-1.x86_64-signed.rpm"
|
|
||||||
@@ -355,7 +355,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \
|
|
||||||
],
|
|
||||||
[1],
|
|
||||||
[],
|
|
||||||
-[error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
|
|
||||||
+[`if test x$PGP = xinternal; then
|
|
||||||
+ echo 'error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
|
|
||||||
+else
|
|
||||||
+ echo 'error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
|
|
||||||
+ echo ' Failed to parse Signature Packet'
|
|
||||||
+ echo ' because: Malformed packet: Subpacket extends beyond the end of the subpacket area)'
|
|
||||||
+fi`
|
|
||||||
error: /tmp/hello-2.0-1.x86_64-signed.rpm cannot be installed
|
|
||||||
])
|
|
||||||
AT_CLEANUP
|
|
||||||
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
|
|
||||||
index 9fb3febc9..df1f669e4 100644
|
|
||||||
--- a/tests/rpmsigdig.at
|
|
||||||
+++ b/tests/rpmsigdig.at
|
|
||||||
@@ -386,17 +386,17 @@ AT_CHECK([
|
|
||||||
RPMDB_INIT
|
|
||||||
|
|
||||||
echo Checking package before importing key:
|
|
||||||
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
||||||
echo Importing key:
|
|
||||||
-runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc; echo $?
|
|
||||||
+runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc 2>&1; echo $?
|
|
||||||
echo Checking for key:
|
|
||||||
runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
|
|
||||||
echo Checking package after importing key:
|
|
||||||
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
||||||
echo Checking package after importing key, no digest:
|
|
||||||
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
||||||
echo Checking package after importing key, no signature:
|
|
||||||
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
||||||
],
|
|
||||||
[0],
|
|
||||||
[[Checking package before importing key:
|
|
||||||
@@ -416,6 +416,10 @@ Checking for key:
|
|
||||||
Version : eb04e625
|
|
||||||
Checking package after importing key:
|
|
||||||
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
||||||
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
||||||
+ Key 1F71177215217EE0 invalid: key is not alive
|
|
||||||
+ because: The subkey is not live
|
|
||||||
+ because: Expired on 2022-04-12T00:00:15Z
|
|
||||||
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
||||||
Header DSA signature: NOTFOUND
|
|
||||||
Header SHA256 digest: OK
|
|
||||||
@@ -427,6 +431,10 @@ Checking package after importing key:
|
|
||||||
1
|
|
||||||
Checking package after importing key, no digest:
|
|
||||||
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
||||||
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
||||||
+ Key 1F71177215217EE0 invalid: key is not alive
|
|
||||||
+ because: The subkey is not live
|
|
||||||
+ because: Expired on 2022-04-12T00:00:15Z
|
|
||||||
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
||||||
Header DSA signature: NOTFOUND
|
|
||||||
RSA signature: NOTFOUND
|
|
||||||
@@ -455,15 +463,15 @@ RPMDB_INIT
|
|
||||||
echo Checking package before importing key:
|
|
||||||
runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
echo Importing key:
|
|
||||||
-runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc; echo $?
|
|
||||||
+runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc 2>&1; echo $?
|
|
||||||
echo Checking for key:
|
|
||||||
runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
|
|
||||||
echo Checking package after importing key:
|
|
||||||
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
||||||
echo Checking package after importing key, no digest:
|
|
||||||
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
||||||
echo Checking package after importing key, no signature:
|
|
||||||
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
||||||
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
||||||
],
|
|
||||||
[0],
|
|
||||||
[[Checking package before importing key:
|
|
||||||
@@ -483,6 +491,8 @@ Checking for key:
|
|
||||||
Version : eb04e625
|
|
||||||
Checking package after importing key:
|
|
||||||
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
||||||
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
||||||
+ Key 1F71177215217EE0 is invalid: key is revoked
|
|
||||||
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
||||||
Header DSA signature: NOTFOUND
|
|
||||||
Header SHA256 digest: OK
|
|
||||||
@@ -494,6 +504,8 @@ Checking package after importing key:
|
|
||||||
1
|
|
||||||
Checking package after importing key, no digest:
|
|
||||||
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
||||||
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
||||||
+ Key 1F71177215217EE0 is invalid: key is revoked
|
|
||||||
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
||||||
Header DSA signature: NOTFOUND
|
|
||||||
RSA signature: NOTFOUND
|
|
||||||
@@ -740,7 +752,7 @@ AT_CLEANUP
|
|
||||||
# Test pre-built corrupted package verification (corrupted signature)
|
|
||||||
AT_SETUP([rpmkeys -Kv <corrupted signed> 1])
|
|
||||||
AT_KEYWORDS([rpmkeys digest signature])
|
|
||||||
-AT_CHECK([
|
|
||||||
+AT_CHECK_UNQUOTED([
|
|
||||||
RPMDB_INIT
|
|
||||||
|
|
||||||
pkg="hello-2.0-1.x86_64-signed.rpm"
|
|
||||||
@@ -754,14 +766,28 @@ runroot rpmkeys -Kv /tmp/${pkg}
|
|
||||||
],
|
|
||||||
[1],
|
|
||||||
[/tmp/hello-2.0-1.x86_64-signed.rpm:
|
|
||||||
- Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
|
|
||||||
+`if test x$PGP = xinternal; then
|
|
||||||
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
|
|
||||||
+else
|
|
||||||
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
|
|
||||||
+ echo ' Failed to parse Signature Packet'
|
|
||||||
+ echo ' because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.'
|
|
||||||
+ echo ' because: Malformed MPI: leading bit is not set: expected bit 1 to be set in 0 (0))'
|
|
||||||
+fi`
|
|
||||||
Header SHA256 digest: OK
|
|
||||||
Header SHA1 digest: OK
|
|
||||||
Payload SHA256 digest: OK
|
|
||||||
V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
|
|
||||||
MD5 digest: OK
|
|
||||||
/tmp/hello-2.0-1.x86_64-signed.rpm:
|
|
||||||
- Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
|
|
||||||
+`if test x$PGP = xinternal; then
|
|
||||||
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
|
|
||||||
+else
|
|
||||||
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
|
|
||||||
+ echo ' Failed to parse Signature Packet'
|
|
||||||
+ echo ' because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.'
|
|
||||||
+ echo ' because: Malformed MPI: leading bit is not set: expected bit 1 to be set in 0 (0))'
|
|
||||||
+fi`
|
|
||||||
Header SHA256 digest: OK
|
|
||||||
Header SHA1 digest: OK
|
|
||||||
Payload SHA256 digest: OK
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,61 +0,0 @@
|
|||||||
From 2df8008d22b58f87fe665de0fa8c5bbeb4b4a3d8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michal Domonkos <mdomonko@redhat.com>
|
|
||||||
Date: Wed, 17 May 2023 12:39:47 +0200
|
|
||||||
Subject: [PATCH] Enable large file support on 32-bit systems again
|
|
||||||
|
|
||||||
Replace 32-bit sizes in types like off_t with 64-bits when building on
|
|
||||||
32-bit architectures, to enable large file support there.
|
|
||||||
|
|
||||||
This fixes a nasty regression introduced in the cmake transition. As
|
|
||||||
autotools would set this flag to 64 automatically for us, applications
|
|
||||||
linking against librpm (such as libdnf, librepo, libsolv or drpm) are
|
|
||||||
already adapted to that and are also building with the value of 64
|
|
||||||
(explicitly, we never exported this flag through pkg-config ourselves).
|
|
||||||
However, us suddenly expecting 32-bits in those types on 32-bit systems
|
|
||||||
can blow up badly e.g. in functions that take an off_t parameter, like
|
|
||||||
Fseek().
|
|
||||||
|
|
||||||
There perhaps aren't that many low-level users of librpm but drpm is one
|
|
||||||
such example where exactly this happens when built against our current
|
|
||||||
master. It calls headerRead(), leading to Fseek() which receives a
|
|
||||||
64-bit offset parameter where it expects a 32-bit one, thus silently
|
|
||||||
overwriting the following parameter from 1 to 0 (SEEK_CUR to SEEK_SET)
|
|
||||||
which messes up the whole reading sequence in drpm's rpm_read(),
|
|
||||||
producing a failure in drpm's test suite that doesn't make any sense at
|
|
||||||
first sight.
|
|
||||||
|
|
||||||
While at it, also export the flag through pkg-config so that anyone
|
|
||||||
linking against librpm is now guaranteed to work correctly even if they
|
|
||||||
don't set the flag themselves (kudos to Petr Pisar for suggesting this).
|
|
||||||
---
|
|
||||||
CMakeLists.txt | 1 +
|
|
||||||
rpm.pc.in | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
||||||
index b006ed34e..dc28fd547 100644
|
|
||||||
--- a/CMakeLists.txt
|
|
||||||
+++ b/CMakeLists.txt
|
|
||||||
@@ -52,6 +52,7 @@ set(CMAKE_SHARED_MODULE_PREFIX "")
|
|
||||||
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
|
|
||||||
include(GNUInstallDirs)
|
|
||||||
add_compile_definitions(_GNU_SOURCE)
|
|
||||||
+add_definitions(-D_FILE_OFFSET_BITS=64)
|
|
||||||
|
|
||||||
function(makemacros)
|
|
||||||
set(prefix ${CMAKE_INSTALL_PREFIX})
|
|
||||||
diff --git a/rpm.pc.in b/rpm.pc.in
|
|
||||||
index 46d42e7a3..791303e17 100644
|
|
||||||
--- a/rpm.pc.in
|
|
||||||
+++ b/rpm.pc.in
|
|
||||||
@@ -11,6 +11,6 @@ URL: @CMAKE_PROJECT_HOMEPAGE_URL@
|
|
||||||
Requires: popt
|
|
||||||
Requires.private: @ZSTD_REQUIRES@
|
|
||||||
# Conflicts:
|
|
||||||
-Cflags: -I${includedir}
|
|
||||||
+Cflags: -I${includedir} -D_FILE_OFFSET_BITS=64
|
|
||||||
Libs: -L${libdir} -lrpm -lrpmio
|
|
||||||
Libs.private: -lpopt -lrt -lpthread @WITH_LZMA_LIB@ @WITH_BZ2_LIB@ @WITH_ZLIB_LIB@ @LUA_LIBS@
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From d18d6ce41df4a5887df47a69052a401808aef19f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florian Festi <ffesti@redhat.com>
|
|
||||||
Date: Mon, 8 May 2023 17:50:21 +0200
|
|
||||||
Subject: [PATCH] Fix bzip2 detection
|
|
||||||
|
|
||||||
HAVE_BZLIB_H was not set due to a typo leading to the bz2 support not
|
|
||||||
being compiled in although the library was detected correctly.
|
|
||||||
---
|
|
||||||
CMakeLists.txt | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
||||||
index 9718505bf..4a5332f4b 100644
|
|
||||||
--- a/CMakeLists.txt
|
|
||||||
+++ b/CMakeLists.txt
|
|
||||||
@@ -272,7 +272,7 @@ id0name(UID_0_USER /etc/passwd)
|
|
||||||
id0name(GID_0_GROUP /etc/group)
|
|
||||||
|
|
||||||
# map module/package findings to config.h
|
|
||||||
-if (${Bzip2_FOUND})
|
|
||||||
+if (${BZIP2_FOUND})
|
|
||||||
set(HAVE_BZLIB_H 1)
|
|
||||||
endif()
|
|
||||||
if (${LIBLZMA_FOUND})
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
From acfe252822db37fc9f47c221c4e3ae79a5f0be27 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Panu Matilainen <pmatilai@redhat.com>
|
|
||||||
Date: Mon, 22 May 2023 18:19:24 +0300
|
|
||||||
Subject: [PATCH] Fix undefined symbols from plugins in some circumstances
|
|
||||||
|
|
||||||
Another bit lost in the cmake transition: plugin linkage to librpm and
|
|
||||||
librpmio. In rpm itself this doesn't really matter because the running
|
|
||||||
process supplies the necessary symbols but it's a different story when eg
|
|
||||||
a Python process uses dlopen()'ed bindings.
|
|
||||||
---
|
|
||||||
plugins/CMakeLists.txt | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/plugins/CMakeLists.txt b/plugins/CMakeLists.txt
|
|
||||||
index 6768378f9..1ca025868 100644
|
|
||||||
--- a/plugins/CMakeLists.txt
|
|
||||||
+++ b/plugins/CMakeLists.txt
|
|
||||||
@@ -40,6 +40,7 @@ set(plugindir ${CMAKE_INSTALL_FULL_LIBDIR}/rpm-plugins)
|
|
||||||
|
|
||||||
get_property(plugins DIRECTORY PROPERTY BUILDSYSTEM_TARGETS)
|
|
||||||
foreach(plugin ${plugins})
|
|
||||||
+ target_link_libraries(${plugin} PRIVATE librpmio librpm)
|
|
||||||
install(TARGETS ${plugin} DESTINATION ${plugindir})
|
|
||||||
endforeach()
|
|
||||||
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From 33702961f45567a599bc0f0dac055604dc204fb1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florian Festi <ffesti@redhat.com>
|
|
||||||
Date: Tue, 2 May 2023 09:03:50 +0200
|
|
||||||
Subject: [PATCH] Remove second share/ dir from infodir and mandir
|
|
||||||
|
|
||||||
cmake variables and the derived macros.
|
|
||||||
|
|
||||||
CMAKE_INSTALL_INFODIR and CMAKE_INSTALL_MANDIR already include the
|
|
||||||
datarootdir. So just prepending the prefix is sufficient.
|
|
||||||
---
|
|
||||||
CMakeLists.txt | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
||||||
index 230d18d1f..9718505bf 100644
|
|
||||||
--- a/CMakeLists.txt
|
|
||||||
+++ b/CMakeLists.txt
|
|
||||||
@@ -67,8 +67,8 @@ function(makemacros)
|
|
||||||
set(libdir "\${prefix}/=LIB=")
|
|
||||||
set(includedir "\${prefix}/${CMAKE_INSTALL_INCLUDEDIR}")
|
|
||||||
set(oldincludedir "${CMAKE_INSTALL_FULL_OLDINCLUDEDIR}")
|
|
||||||
- set(infodir "\${datarootdir}/${CMAKE_INSTALL_INFODIR}")
|
|
||||||
- set(mandir "\${datarootdir}/${CMAKE_INSTALL_MANDIR}")
|
|
||||||
+ set(infodir "\${prefix}/${CMAKE_INSTALL_INFODIR}")
|
|
||||||
+ set(mandir "\${prefix}/${CMAKE_INSTALL_MANDIR}")
|
|
||||||
set(RUNDIR /run)
|
|
||||||
|
|
||||||
set(acutils
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From 673bd62bd3035575f8fad501f1395b09a0f9f8fe Mon Sep 17 00:00:00 2001
|
|
||||||
Message-Id: <673bd62bd3035575f8fad501f1395b09a0f9f8fe.1685346662.git.pmatilai@redhat.com>
|
|
||||||
From: Panu Matilainen <pmatilai@redhat.com>
|
|
||||||
Date: Mon, 29 May 2023 10:34:57 +0300
|
|
||||||
Subject: [PATCH] Revert %_smp_build_ncpus change to a parametric macro
|
|
||||||
(RhBug:2210347)
|
|
||||||
|
|
||||||
Commit a213101bc3af65c860d045c65fb4e2ef7566a4c6 changed %_smp_build_ncpus
|
|
||||||
into a parametric macro, but this breaks common usage via the Lua macros
|
|
||||||
table as parametric macros are returned as closures rather than the
|
|
||||||
expanded value.
|
|
||||||
|
|
||||||
This seems like a design flaw of the macros table, but as an immediate
|
|
||||||
remedy for the breakage, add another layer of indirection to revert
|
|
||||||
%_smp_build_ncpus back to a non-parametric macro.
|
|
||||||
|
|
||||||
Fixes %constrain_build macro in Fedora, which ironically is made obsolete by
|
|
||||||
the change that (unintentionally) broke it.
|
|
||||||
---
|
|
||||||
macros.in | 12 +++++++-----
|
|
||||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/macros.in b/macros.in
|
|
||||||
index 5521daba8..4dc6e3ca3 100644
|
|
||||||
--- a/macros.in
|
|
||||||
+++ b/macros.in
|
|
||||||
@@ -717,21 +717,23 @@ Supplements: (%{name} = %{version}-%{release} and langpacks-%{1})\
|
|
||||||
# Macro to fix broken permissions in sources
|
|
||||||
%_fixperms %{__chmod} -Rf a+rX,u+w,g-w,o-w
|
|
||||||
|
|
||||||
-# Maximum number of CPU's to use when building, 0 for unlimited.
|
|
||||||
-#%_smp_ncpus_max 0
|
|
||||||
-
|
|
||||||
-%_smp_build_ncpus() %([ -z "$RPM_BUILD_NCPUS" ] \\\
|
|
||||||
+%__smp_use_ncpus() %([ -z "$RPM_BUILD_NCPUS" ] \\\
|
|
||||||
&& RPM_BUILD_NCPUS="%{getncpus %{?1}}"; \\\
|
|
||||||
ncpus_max=%{?_smp_ncpus_max}; \\\
|
|
||||||
if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \\\
|
|
||||||
echo "$RPM_BUILD_NCPUS";)
|
|
||||||
|
|
||||||
+# Maximum number of CPU's to use when building, 0 for unlimited.
|
|
||||||
+#%_smp_ncpus_max 0
|
|
||||||
+
|
|
||||||
+%_smp_build_ncpus %{__smp_use_ncpus:proc}
|
|
||||||
+
|
|
||||||
%_smp_mflags -j${RPM_BUILD_NCPUS}
|
|
||||||
|
|
||||||
# Maximum number of threads to use when building, 0 for unlimited
|
|
||||||
#%_smp_nthreads_max 0
|
|
||||||
|
|
||||||
-%_smp_build_nthreads %{_smp_build_ncpus:thread}
|
|
||||||
+%_smp_build_nthreads %{__smp_use_ncpus:thread}
|
|
||||||
|
|
||||||
# Assumed task size of processes and threads in megabytes.
|
|
||||||
# Used to limit the amount of parallelism based on available memory.
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 021a7d3aaa5458d8956babf0220a3e574a2b8e62 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florian Festi <ffesti@redhat.com>
|
|
||||||
Date: Wed, 17 May 2023 17:23:59 +0200
|
|
||||||
Subject: [PATCH] Use mkdir -p for creating SPECPARTS dir
|
|
||||||
|
|
||||||
to not error out when invoking %setup more than once or shipping the
|
|
||||||
directory in the sources.
|
|
||||||
---
|
|
||||||
build/parsePrep.c | 2 +-
|
|
||||||
tests/rpmspec.at | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/build/parsePrep.c b/build/parsePrep.c
|
|
||||||
index f8e09a8c7..ea8faa953 100644
|
|
||||||
--- a/build/parsePrep.c
|
|
||||||
+++ b/build/parsePrep.c
|
|
||||||
@@ -274,7 +274,7 @@ static int doSetupMacro(rpmSpec spec, const char *line)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* mkdir for dynamic specparts */
|
|
||||||
- buf = rpmExpand("%{__mkdir} SPECPARTS", NULL);
|
|
||||||
+ buf = rpmExpand("%{__mkdir_p} SPECPARTS", NULL);
|
|
||||||
appendBuf(spec, buf, 1);
|
|
||||||
free(buf);
|
|
||||||
|
|
||||||
diff --git a/tests/rpmspec.at b/tests/rpmspec.at
|
|
||||||
index 548b4b3cc..564479391 100644
|
|
||||||
--- a/tests/rpmspec.at
|
|
||||||
+++ b/tests/rpmspec.at
|
|
||||||
@@ -333,7 +333,7 @@ if [ $STATUS -ne 0 ]; then
|
|
||||||
exit $STATUS
|
|
||||||
fi
|
|
||||||
cd 'hello-1.0'
|
|
||||||
-/usr/bin/mkdir SPECPARTS
|
|
||||||
+/usr/bin/mkdir -p SPECPARTS
|
|
||||||
/usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
|
|
||||||
echo "Patch #0 (hello-1.0-modernize.patch):"
|
|
||||||
/usr/bin/patch --no-backup-if-mismatch -f -p1 -b --suffix .modernize --fuzz=0 < /build/SOURCES/hello-1.0-modernize.patch
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
16
rpm.spec
16
rpm.spec
@ -30,9 +30,9 @@
|
|||||||
|
|
||||||
%define rpmhome /usr/lib/rpm
|
%define rpmhome /usr/lib/rpm
|
||||||
|
|
||||||
%global rpmver 4.18.90
|
%global rpmver 4.18.91
|
||||||
#global snapver rc1
|
#global snapver rc1
|
||||||
%global baserelease 10
|
%global baserelease 1
|
||||||
%global sover 10
|
%global sover 10
|
||||||
|
|
||||||
%global srcver %{rpmver}%{?snapver:-%{snapver}}
|
%global srcver %{rpmver}%{?snapver:-%{snapver}}
|
||||||
@ -148,13 +148,6 @@ rpm-4.18.90-disable-sysusers.patch
|
|||||||
rpm-4.18.90-weak-user-group.patch
|
rpm-4.18.90-weak-user-group.patch
|
||||||
# Patches already upstream:
|
# Patches already upstream:
|
||||||
# ...
|
# ...
|
||||||
0001-Remove-second-share-dir-from-infodir-and-mandir.patch
|
|
||||||
0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch
|
|
||||||
0001-Fix-bzip2-detection.patch
|
|
||||||
0001-Enable-large-file-support-on-32-bit-systems-again.patch
|
|
||||||
0001-Use-mkdir-p-for-creating-SPECPARTS-dir.patch
|
|
||||||
0001-Fix-undefined-symbols-from-plugins-in-some-circumsta.patch
|
|
||||||
0001-Revert-_smp_build_ncpus-change-to-a-parametric-macro.patch
|
|
||||||
|
|
||||||
# These are not yet upstream
|
# These are not yet upstream
|
||||||
rpm-4.7.1-geode-i686.patch
|
rpm-4.7.1-geode-i686.patch
|
||||||
@ -569,7 +562,7 @@ fi
|
|||||||
%files plugin-dbus-announce
|
%files plugin-dbus-announce
|
||||||
%{_libdir}/rpm-plugins/dbus_announce.so
|
%{_libdir}/rpm-plugins/dbus_announce.so
|
||||||
%{_mandir}/man8/rpm-plugin-dbus-announce.8*
|
%{_mandir}/man8/rpm-plugin-dbus-announce.8*
|
||||||
%{_sysconfdir}/dbus-1/system.d/org.rpm.conf
|
%{_datadir}/dbus-1/system.d/org.rpm.conf
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files build-libs
|
%files build-libs
|
||||||
@ -631,6 +624,9 @@ fi
|
|||||||
%doc %{_defaultdocdir}/rpm/API/
|
%doc %{_defaultdocdir}/rpm/API/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 09 2023 Michal Domonkos <mdomonko@redhat.com> - 4.18.91-1
|
||||||
|
- Update to 4.19 alpha2
|
||||||
|
|
||||||
* Thu Jun 08 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 4.18.90-10
|
* Thu Jun 08 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 4.18.90-10
|
||||||
- Rebuild for ima-evm-utils 1.5 soname bump
|
- Rebuild for ima-evm-utils 1.5 soname bump
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (rpm-4.18.90.tar.bz2) = 2d1a499fe053c5f3497b0ae4c133ef3b05b4b87e12ee5d349ad8c34dbfaebc20c1b3e6727143c152040ed1e132047bcf95afcbbe4a8cb2c4f91900b536d7821c
|
SHA512 (rpm-4.18.91.tar.bz2) = e3b3e9f195e16afc0596d31ad7614b8369e2b9c6835cc2739f166772d21ae71714ce99b29fded63843ab7216bb34f1c33bb69c0718383ed4bb3b9058639aa246
|
||||||
|
Loading…
Reference in New Issue
Block a user