|
|
a60cd7 |
From 95ea12b9a4be68cc25f0811e693c7a024b5e3d4b Mon Sep 17 00:00:00 2001
|
|
|
a60cd7 |
From: Matej Habrnal <mhabrnal@redhat.com>
|
|
|
a60cd7 |
Date: Tue, 9 Feb 2016 16:53:21 +0100
|
|
|
a60cd7 |
Subject: [PATCH] Save Vendor and GPG Fingerprint
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Red Hat keys can be found at:
|
|
|
a60cd7 |
https://access.redhat.com/security/team/key
|
|
|
a60cd7 |
|
|
|
a60cd7 |
Related: #1258482
|
|
|
a60cd7 |
---
|
|
|
a60cd7 |
src/daemon/abrt-action-save-package-data.c | 34 ++++++++++++++++++++-----
|
|
|
a60cd7 |
src/daemon/abrt-action-save-package-data.conf | 7 ++++++
|
|
|
a60cd7 |
src/daemon/rpm.c | 36 +++++++++++++++++++--------
|
|
|
a60cd7 |
src/daemon/rpm.h | 15 +++++++++++
|
|
|
a60cd7 |
src/plugins/abrt-action-save-kernel-data | 6 +++++
|
|
|
a60cd7 |
5 files changed, 82 insertions(+), 16 deletions(-)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
diff --git a/src/daemon/abrt-action-save-package-data.c b/src/daemon/abrt-action-save-package-data.c
|
|
|
a60cd7 |
index 97d5f5e..ef2007e 100644
|
|
|
a60cd7 |
--- a/src/daemon/abrt-action-save-package-data.c
|
|
|
a60cd7 |
+++ b/src/daemon/abrt-action-save-package-data.c
|
|
|
a60cd7 |
@@ -224,6 +224,7 @@ static int SavePackageDescriptionToDebugDump(const char *dump_dir_name)
|
|
|
a60cd7 |
char *cmdline = NULL;
|
|
|
a60cd7 |
char *executable = NULL;
|
|
|
a60cd7 |
char *package_short_name = NULL;
|
|
|
a60cd7 |
+ char *fingerprint = NULL;
|
|
|
a60cd7 |
struct pkg_envra *pkg_name = NULL;
|
|
|
a60cd7 |
char *component = NULL;
|
|
|
a60cd7 |
int error = 1;
|
|
|
a60cd7 |
@@ -311,13 +312,12 @@ static int SavePackageDescriptionToDebugDump(const char *dump_dir_name)
|
|
|
a60cd7 |
goto ret; /* return 1 (failure) */
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- if (settings_bOpenGPGCheck)
|
|
|
a60cd7 |
+ fingerprint = rpm_get_fingerprint(package_short_name);
|
|
|
a60cd7 |
+ if (!(fingerprint != NULL && rpm_fingerprint_is_imported(fingerprint))
|
|
|
a60cd7 |
+ && settings_bOpenGPGCheck)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
- if (!rpm_chk_fingerprint(package_short_name))
|
|
|
a60cd7 |
- {
|
|
|
a60cd7 |
- log("Package '%s' isn't signed with proper key", package_short_name);
|
|
|
a60cd7 |
- goto ret; /* return 1 (failure) */
|
|
|
a60cd7 |
- }
|
|
|
a60cd7 |
+ log("Package '%s' isn't signed with proper key", package_short_name);
|
|
|
a60cd7 |
+ goto ret; /* return 1 (failure) */
|
|
|
a60cd7 |
/* We used to also check the integrity of the executable here:
|
|
|
a60cd7 |
* if (!CheckHash(package_short_name.c_str(), executable)) BOOM();
|
|
|
a60cd7 |
* Checking the MD5 sum requires to run prelink to "un-prelink" the
|
|
|
a60cd7 |
@@ -340,6 +340,27 @@ static int SavePackageDescriptionToDebugDump(const char *dump_dir_name)
|
|
|
a60cd7 |
dd_save_text(dd, FILENAME_PKG_VERSION, pkg_name->p_version);
|
|
|
a60cd7 |
dd_save_text(dd, FILENAME_PKG_RELEASE, pkg_name->p_release);
|
|
|
a60cd7 |
dd_save_text(dd, FILENAME_PKG_ARCH, pkg_name->p_arch);
|
|
|
a60cd7 |
+ dd_save_text(dd, FILENAME_PKG_VENDOR, pkg_name->p_vendor);
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if (fingerprint)
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ /* 16 character + 3 spaces + 1 '\0' + 2 Bytes for errors :) */
|
|
|
a60cd7 |
+ char key_fingerprint[22] = {0};
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ /* The condition is just a defense against errors */
|
|
|
a60cd7 |
+ for (size_t i = 0, j = 0; j < sizeof(key_fingerprint) - 2; )
|
|
|
a60cd7 |
+ {
|
|
|
a60cd7 |
+ key_fingerprint[j++] = toupper(fingerprint[i++]);
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if (fingerprint[i] == '\0')
|
|
|
a60cd7 |
+ break;
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ if (!(i & (0x3)))
|
|
|
a60cd7 |
+ key_fingerprint[j++] = ' ';
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+ dd_save_text(dd, FILENAME_PKG_FINGERPRINT, key_fingerprint);
|
|
|
a60cd7 |
+ }
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
if (component)
|
|
|
a60cd7 |
@@ -355,6 +376,7 @@ static int SavePackageDescriptionToDebugDump(const char *dump_dir_name)
|
|
|
a60cd7 |
free(package_short_name);
|
|
|
a60cd7 |
free_pkg_envra(pkg_name);
|
|
|
a60cd7 |
free(component);
|
|
|
a60cd7 |
+ free(fingerprint);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
return error;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
diff --git a/src/daemon/abrt-action-save-package-data.conf b/src/daemon/abrt-action-save-package-data.conf
|
|
|
a60cd7 |
index 3d35bb6..bf97264 100644
|
|
|
a60cd7 |
--- a/src/daemon/abrt-action-save-package-data.conf
|
|
|
a60cd7 |
+++ b/src/daemon/abrt-action-save-package-data.conf
|
|
|
a60cd7 |
@@ -3,6 +3,13 @@
|
|
|
a60cd7 |
# the list of public keys used to check the signature is
|
|
|
a60cd7 |
# in the file gpg_keys
|
|
|
a60cd7 |
#
|
|
|
a60cd7 |
+# How can I check the GPG key used to sign an installed pacakge on
|
|
|
a60cd7 |
+# Red hat Enterprise Linux:
|
|
|
a60cd7 |
+# https://access.redhat.com/solutions/1120013
|
|
|
a60cd7 |
+#
|
|
|
a60cd7 |
+# Product Signing (GPG) Keys:
|
|
|
a60cd7 |
+# https://access.redhat.com/security/team/key
|
|
|
a60cd7 |
+#
|
|
|
a60cd7 |
OpenGPGCheck = yes
|
|
|
a60cd7 |
|
|
|
a60cd7 |
# Blacklisted packages
|
|
|
a60cd7 |
diff --git a/src/daemon/rpm.c b/src/daemon/rpm.c
|
|
|
a60cd7 |
index b69992c..d3d3d0a 100644
|
|
|
a60cd7 |
--- a/src/daemon/rpm.c
|
|
|
a60cd7 |
+++ b/src/daemon/rpm.c
|
|
|
a60cd7 |
@@ -99,7 +99,22 @@ void rpm_load_gpgkey(const char* filename)
|
|
|
a60cd7 |
|
|
|
a60cd7 |
int rpm_chk_fingerprint(const char* pkg)
|
|
|
a60cd7 |
{
|
|
|
a60cd7 |
- int ret = 0;
|
|
|
a60cd7 |
+ char *fingerprint = rpm_get_fingerprint(pkg);
|
|
|
a60cd7 |
+ int res = 0;
|
|
|
a60cd7 |
+ if (fingerprint)
|
|
|
a60cd7 |
+ res = rpm_fingerprint_is_imported(fingerprint);
|
|
|
a60cd7 |
+ free(fingerprint);
|
|
|
a60cd7 |
+ return res;
|
|
|
a60cd7 |
+}
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+int rpm_fingerprint_is_imported(const char* fingerprint)
|
|
|
a60cd7 |
+{
|
|
|
a60cd7 |
+ return !!g_list_find_custom(list_fingerprints, fingerprint, (GCompareFunc)g_strcmp0);
|
|
|
a60cd7 |
+}
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+char *rpm_get_fingerprint(const char *pkg)
|
|
|
a60cd7 |
+{
|
|
|
a60cd7 |
+ char *fingerprint = NULL;
|
|
|
a60cd7 |
char *pgpsig = NULL;
|
|
|
a60cd7 |
const char *errmsg = NULL;
|
|
|
a60cd7 |
|
|
|
a60cd7 |
@@ -117,20 +132,15 @@ int rpm_chk_fingerprint(const char* pkg)
|
|
|
a60cd7 |
goto error;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
- {
|
|
|
a60cd7 |
- char *pgpsig_tmp = strstr(pgpsig, " Key ID ");
|
|
|
a60cd7 |
- if (pgpsig_tmp)
|
|
|
a60cd7 |
- {
|
|
|
a60cd7 |
- pgpsig_tmp += sizeof(" Key ID ") - 1;
|
|
|
a60cd7 |
- ret = g_list_find_custom(list_fingerprints, pgpsig_tmp, (GCompareFunc)g_strcmp0) != NULL;
|
|
|
a60cd7 |
- }
|
|
|
a60cd7 |
- }
|
|
|
a60cd7 |
+ char *pgpsig_tmp = strstr(pgpsig, " Key ID ");
|
|
|
a60cd7 |
+ if (pgpsig_tmp)
|
|
|
a60cd7 |
+ fingerprint = xstrdup(pgpsig_tmp + sizeof(" Key ID ") - 1);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
error:
|
|
|
a60cd7 |
free(pgpsig);
|
|
|
a60cd7 |
rpmdbFreeIterator(iter);
|
|
|
a60cd7 |
rpmtsFree(ts);
|
|
|
a60cd7 |
- return ret;
|
|
|
a60cd7 |
+ return fingerprint;
|
|
|
a60cd7 |
}
|
|
|
a60cd7 |
|
|
|
a60cd7 |
/*
|
|
|
a60cd7 |
@@ -244,6 +254,7 @@ pkg_add_id(name);
|
|
|
a60cd7 |
pkg_add_id(version);
|
|
|
a60cd7 |
pkg_add_id(release);
|
|
|
a60cd7 |
pkg_add_id(arch);
|
|
|
a60cd7 |
+pkg_add_id(vendor);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
// caller is responsible to free returned value
|
|
|
a60cd7 |
struct pkg_envra *rpm_get_package_nvr(const char *filename, const char *rootdir_or_NULL)
|
|
|
a60cd7 |
@@ -314,6 +325,10 @@ struct pkg_envra *rpm_get_package_nvr(const char *filename, const char *rootdir_
|
|
|
a60cd7 |
if (r)
|
|
|
a60cd7 |
goto error;
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+ r = pkg_add_vendor(header, p);
|
|
|
a60cd7 |
+ if (r)
|
|
|
a60cd7 |
+ goto error;
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
p->p_nvr = xasprintf("%s-%s-%s", p->p_name, p->p_version, p->p_release);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
rpmdbFreeIterator(iter);
|
|
|
a60cd7 |
@@ -334,6 +349,7 @@ void free_pkg_envra(struct pkg_envra *p)
|
|
|
a60cd7 |
if (!p)
|
|
|
a60cd7 |
return;
|
|
|
a60cd7 |
|
|
|
a60cd7 |
+ free(p->p_vendor);
|
|
|
a60cd7 |
free(p->p_epoch);
|
|
|
a60cd7 |
free(p->p_name);
|
|
|
a60cd7 |
free(p->p_version);
|
|
|
a60cd7 |
diff --git a/src/daemon/rpm.h b/src/daemon/rpm.h
|
|
|
a60cd7 |
index 1b90368..89aa088 100644
|
|
|
a60cd7 |
--- a/src/daemon/rpm.h
|
|
|
a60cd7 |
+++ b/src/daemon/rpm.h
|
|
|
a60cd7 |
@@ -38,6 +38,7 @@ struct pkg_envra {
|
|
|
a60cd7 |
char *p_version;
|
|
|
a60cd7 |
char *p_release;
|
|
|
a60cd7 |
char *p_arch;
|
|
|
a60cd7 |
+ char *p_vendor;
|
|
|
a60cd7 |
};
|
|
|
a60cd7 |
|
|
|
a60cd7 |
void free_pkg_envra(struct pkg_envra *p);
|
|
|
a60cd7 |
@@ -69,6 +70,20 @@ void rpm_load_gpgkey(const char* filename);
|
|
|
a60cd7 |
int rpm_chk_fingerprint(const char* pkg);
|
|
|
a60cd7 |
|
|
|
a60cd7 |
/**
|
|
|
a60cd7 |
+ * A function, which checks if the given finger print is imported.
|
|
|
a60cd7 |
+ * @param pkg A package name.
|
|
|
a60cd7 |
+ * @return 1 if imported, otherwise (not-imported, or error) 0
|
|
|
a60cd7 |
+ */
|
|
|
a60cd7 |
+int rpm_fingerprint_is_imported(const char* fingerprint);
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+/**
|
|
|
a60cd7 |
+ * A function, which returns package's finger print
|
|
|
a60cd7 |
+ * @param pkg A package name.
|
|
|
a60cd7 |
+ * @return NULL if not-valid, otherwise malloced NULL-terminated string.
|
|
|
a60cd7 |
+ */
|
|
|
a60cd7 |
+char *rpm_get_fingerprint(const char* pkg);
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+/**
|
|
|
a60cd7 |
* Gets a package name. This package contains particular
|
|
|
a60cd7 |
* file. If the file doesn't belong to any package, empty string is
|
|
|
a60cd7 |
* returned.
|
|
|
a60cd7 |
diff --git a/src/plugins/abrt-action-save-kernel-data b/src/plugins/abrt-action-save-kernel-data
|
|
|
a60cd7 |
index 7df85cf..5f1ddc7 100755
|
|
|
a60cd7 |
--- a/src/plugins/abrt-action-save-kernel-data
|
|
|
a60cd7 |
+++ b/src/plugins/abrt-action-save-kernel-data
|
|
|
a60cd7 |
@@ -29,3 +29,9 @@ rpm -q --qf "%{release}\n" "$package" > pkg_release
|
|
|
a60cd7 |
epoch="$( rpm -q --qf "%{epoch}" "$package" )"
|
|
|
a60cd7 |
test "$epoch" = "(none)" && epoch=0
|
|
|
a60cd7 |
echo "$epoch" > pkg_epoch
|
|
|
a60cd7 |
+rpm -q --qf "%{vendor}\n" "$package" > pkg_vendor
|
|
|
a60cd7 |
+
|
|
|
a60cd7 |
+FINGERPRINT=$(rpm -q --qf "%|SIGGPG?{%{SIGGPG:pgpsig}}:{%{SIGPGP:pgpsig}}|" "$package" 2>/dev/null | tail -1)
|
|
|
a60cd7 |
+if [ -n "$FINGERPRINT" -a "_(none)" != "_$FINGERPRINT" ]; then
|
|
|
a60cd7 |
+ echo $FINGERPRINT | sed 's/.*Key ID \(....\)\(....\)\(....\)\(....\)$/\U\1 \U\2 \U\3 \U\4/' > pkg_fingerprint
|
|
|
a60cd7 |
+fi
|
|
|
a60cd7 |
--
|
|
|
a60cd7 |
1.8.3.1
|
|
|
a60cd7 |
|