teknoraver / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone
Source Code
GIT

Blame 0002-Eliminate-hardcoded-GPG-references-from-user-visible.patch

c10s-sig-hyperscale c8 c8s c8s-sig-hyperscale c9 c9s-sig-hyperscale
  1.   c10s-sig-hyperscale
  2.   0002-Eliminate-hardcoded-GPG-references-from-user-visible.patch
Blob History Raw
Panu Matilainen c7a072 
From 3c1055628380d66934578060a4a6c678f1261456 Mon Sep 17 00:00:00 2001
Panu Matilainen c7a072 
Message-ID: <3c1055628380d66934578060a4a6c678f1261456.1728896192.git.pmatilai@redhat.com>
Panu Matilainen c7a072 
In-Reply-To: <3b0a150af79668052bf5842b68341adbde016005.1728896192.git.pmatilai@redhat.com>
Panu Matilainen c7a072 
References: <3b0a150af79668052bf5842b68341adbde016005.1728896192.git.pmatilai@redhat.com>
Panu Matilainen c7a072 
From: Panu Matilainen <pmatilai@redhat.com>
Panu Matilainen c7a072 
Date: Thu, 5 Sep 2024 09:44:40 +0300
Panu Matilainen c7a072 
Subject: [PATCH 2/3] Eliminate hardcoded GPG references from user visible
Panu Matilainen c7a072 
 messages
Panu Matilainen c7a072
Panu Matilainen c7a072 
Use the OpenPGP standard name or the configured+parsed signing command
Panu Matilainen c7a072 
in messages as appropriate. Also detect if we're specifically using
Panu Matilainen c7a072 
gpg and only set up its environment in that case to avoid bleeding
Panu Matilainen c7a072 
those messages to innocent bypassers.
Panu Matilainen c7a072
Panu Matilainen c7a072 
Fixes: #3274
Panu Matilainen c7a072 
(backported from commit a3cf4f674dd59c1c80f97780643c184e705518ce)
Panu Matilainen c7a072 
---
Panu Matilainen c7a072 
 sign/rpmgensig.c   | 42 +++++++++++++++++++++++++-----------------
Panu Matilainen c7a072 
 tests/rpmsigdig.at |  9 +++++++++
Panu Matilainen c7a072 
 2 files changed, 34 insertions(+), 17 deletions(-)
Panu Matilainen c7a072
Panu Matilainen c7a072 
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
Panu Matilainen c7a072 
index 7bbd63216..fb7368e14 100644
Panu Matilainen c7a072 
--- a/sign/rpmgensig.c
Panu Matilainen c7a072 
+++ b/sign/rpmgensig.c
Panu Matilainen c7a072 
@@ -232,23 +232,29 @@ static int runGPG(sigTarget sigt, const char *sigfile)
Panu Matilainen c7a072 
     }
Panu Matilainen c7a072
Panu Matilainen c7a072 
     if (!(pid = fork())) {
Panu Matilainen c7a072 
-	const char *tty = ttyname(STDIN_FILENO);
Panu Matilainen c7a072 
-	const char *gpg_path = NULL;
Panu Matilainen c7a072 
-
Panu Matilainen c7a072 
-	if (!getenv("GPG_TTY") && (!tty || setenv("GPG_TTY", tty, 0)))
Panu Matilainen c7a072 
-	    rpmlog(RPMLOG_WARNING, _("Could not set GPG_TTY to stdin: %m\n"));
Panu Matilainen c7a072 
-
Panu Matilainen c7a072 
-	gpg_path = rpmExpand("%{?_gpg_path}", NULL);
Panu Matilainen c7a072 
-	if (gpg_path && *gpg_path != '\0')
Panu Matilainen c7a072 
-	    (void) setenv("GNUPGHOME", gpg_path, 1);
Panu Matilainen c7a072 
+	/* GnuPG needs extra setup, try to see if that's what we're running */
Panu Matilainen c7a072 
+	char *out = rpmExpand("%(", argv[0], " --version 2> /dev/null)", NULL);
Panu Matilainen c7a072 
+	int using_gpg = (strstr(out, "GnuPG") != NULL);
Panu Matilainen c7a072 
+	if (using_gpg) {
Panu Matilainen c7a072 
+	    const char *tty = ttyname(STDIN_FILENO);
Panu Matilainen c7a072 
+	    const char *gpg_path = NULL;
Panu Matilainen c7a072 
+
Panu Matilainen c7a072 
+	    if (!getenv("GPG_TTY") && (!tty || setenv("GPG_TTY", tty, 0)))
Panu Matilainen c7a072 
+		rpmlog(RPMLOG_WARNING, _("Could not set GPG_TTY to stdin: %m\n"));
Panu Matilainen c7a072 
+
Panu Matilainen c7a072 
+	    gpg_path = rpmExpand("%{?_gpg_path}", NULL);
Panu Matilainen c7a072 
+	    if (gpg_path && *gpg_path != '\0')
Panu Matilainen c7a072 
+		(void) setenv("GNUPGHOME", gpg_path, 1);
Panu Matilainen c7a072 
+	}
Panu Matilainen c7a072 
+	free(out);
Panu Matilainen c7a072
Panu Matilainen c7a072 
 	dup2(pipefd[0], STDIN_FILENO);
Panu Matilainen c7a072 
 	close(pipefd[1]);
Panu Matilainen c7a072
Panu Matilainen c7a072 
 	rc = execve(argv[0], argv+1, environ);
Panu Matilainen c7a072
Panu Matilainen c7a072 
-	rpmlog(RPMLOG_ERR, _("Could not exec %s: %s\n"), "gpg",
Panu Matilainen c7a072 
-			strerror(errno));
Panu Matilainen c7a072 
+	rpmlog(RPMLOG_ERR, _("Could not exec %s: %s\n"), argv[0],
Panu Matilainen c7a072 
+		strerror(errno));
Panu Matilainen c7a072 
 	_exit(EXIT_FAILURE);
Panu Matilainen c7a072 
     }
Panu Matilainen c7a072
Panu Matilainen c7a072 
@@ -295,9 +301,11 @@ exit:
Panu Matilainen c7a072 
     } while (reaped == -1 && errno == EINTR);
Panu Matilainen c7a072
Panu Matilainen c7a072 
     if (reaped == -1) {
Panu Matilainen c7a072 
-	rpmlog(RPMLOG_ERR, _("gpg waitpid failed (%s)\n"), strerror(errno));
Panu Matilainen c7a072 
+	rpmlog(RPMLOG_ERR, _("%s waitpid failed (%s)\n"), argv[0],
Panu Matilainen c7a072 
+		strerror(errno));
Panu Matilainen c7a072 
     } else if (!WIFEXITED(status) || WEXITSTATUS(status)) {
Panu Matilainen c7a072 
-	rpmlog(RPMLOG_ERR, _("gpg exec failed (%d)\n"), WEXITSTATUS(status));
Panu Matilainen c7a072 
+	rpmlog(RPMLOG_ERR, _("%s exec failed (%d)\n"), argv[0],
Panu Matilainen c7a072 
+		WEXITSTATUS(status));
Panu Matilainen c7a072 
     } else {
Panu Matilainen c7a072 
 	rc = 0;
Panu Matilainen c7a072 
     }
Panu Matilainen c7a072 
@@ -328,13 +336,13 @@ static rpmtd makeGPGSignature(Header sigh, int ishdr, sigTarget sigt)
Panu Matilainen c7a072 
 	goto exit;
Panu Matilainen c7a072
Panu Matilainen c7a072 
     if (stat(sigfile, &st)) {
Panu Matilainen c7a072 
-	/* GPG failed to write signature */
Panu Matilainen c7a072 
-	rpmlog(RPMLOG_ERR, _("gpg failed to write signature\n"));
Panu Matilainen c7a072 
+	/* External command failed to write signature */
Panu Matilainen c7a072 
+	rpmlog(RPMLOG_ERR, _("failed to write signature\n"));
Panu Matilainen c7a072 
 	goto exit;
Panu Matilainen c7a072 
     }
Panu Matilainen c7a072
Panu Matilainen c7a072 
     pktlen = st.st_size;
Panu Matilainen c7a072 
-    rpmlog(RPMLOG_DEBUG, "GPG sig size: %zd\n", pktlen);
Panu Matilainen c7a072 
+    rpmlog(RPMLOG_DEBUG, "OpenPGP sig size: %zd\n", pktlen);
Panu Matilainen c7a072 
     pkt = xmalloc(pktlen);
Panu Matilainen c7a072
Panu Matilainen c7a072 
     {	FD_t fd;
Panu Matilainen c7a072 
@@ -351,7 +359,7 @@ static rpmtd makeGPGSignature(Header sigh, int ishdr, sigTarget sigt)
Panu Matilainen c7a072 
 	}
Panu Matilainen c7a072 
     }
Panu Matilainen c7a072
Panu Matilainen c7a072 
-    rpmlog(RPMLOG_DEBUG, "Got %zd bytes of GPG sig\n", pktlen);
Panu Matilainen c7a072 
+    rpmlog(RPMLOG_DEBUG, "Got %zd bytes of OpenPGP sig\n", pktlen);
Panu Matilainen c7a072
Panu Matilainen c7a072 
     /* Parse the signature, change signature tag as appropriate. */
Panu Matilainen c7a072 
     sigtd = makeSigTag(sigh, ishdr, pkt, pktlen);
Panu Matilainen c7a072 
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
Panu Matilainen c7a072 
index 14dffc27a..d19f85d04 100644
Panu Matilainen c7a072 
--- a/tests/rpmsigdig.at
Panu Matilainen c7a072 
+++ b/tests/rpmsigdig.at
Panu Matilainen c7a072 
@@ -1036,6 +1036,15 @@ run rpmsign --define "__gpg_sign_cmd mumble" --key-id 1964C5FC --addsign "${RPMT
Panu Matilainen c7a072 
 [error: Invalid sign command: mumble
Panu Matilainen c7a072 
 ])
Panu Matilainen c7a072
Panu Matilainen c7a072 
+RPMTEST_CHECK([
Panu Matilainen c7a072 
+run rpmsign --define "__gpg /gnus/not/here" --key-id 1964C5FC --addsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64.rpm > /dev/null
Panu Matilainen c7a072 
+],
Panu Matilainen c7a072 
+[1],
Panu Matilainen c7a072 
+[],
Panu Matilainen c7a072 
+[error: Could not exec /gnus/not/here: No such file or directory
Panu Matilainen c7a072 
+error: /gnus/not/here exec failed (1)
Panu Matilainen c7a072 
+])
Panu Matilainen c7a072 
+
Panu Matilainen c7a072 
 # rpmsign --addsign <signed>
Panu Matilainen c7a072 
 RPMTEST_CHECK([
Panu Matilainen c7a072 
 RPMDB_INIT
Panu Matilainen c7a072 
--
Panu Matilainen c7a072 
2.47.0
Panu Matilainen c7a072

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation