|
Florian Festi |
3913b4 |
From 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3 Mon Sep 17 00:00:00 2001
|
|
Panu Matilainen |
8a4b8c |
From: "Neal H. Walfield" <neal@pep.foundation>
|
|
Panu Matilainen |
8a4b8c |
Date: Wed, 12 Apr 2023 17:56:19 +0200
|
|
Panu Matilainen |
8a4b8c |
Subject: [PATCH] Add pgpVerifySignature2() and pgpPrtParams2()
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
Add new functions pgpVerifySignature2() and pgpPrtParams2(), which are
|
|
Panu Matilainen |
8a4b8c |
like their earlier versions, but optionally return descriptive error
|
|
Panu Matilainen |
8a4b8c |
messages (in the case of failure) or lints (in the case of success).
|
|
Panu Matilainen |
8a4b8c |
Adjust tests accordingly.
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
This requires rpm-sequoia 1.4 or later.
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
See https://github.com/rpm-software-management/rpm-sequoia/issues/39
|
|
Panu Matilainen |
8a4b8c |
and
|
|
Panu Matilainen |
8a4b8c |
https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1482646398
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
Fixes #2483.
|
|
Panu Matilainen |
8a4b8c |
---
|
|
Florian Festi |
3913b4 |
ci/Dockerfile | 2 ++
|
|
Florian Festi |
3913b4 |
include/rpm/rpmpgp.h | 23 +++++++++++++++++++
|
|
Florian Festi |
3913b4 |
lib/rpmvs.c | 19 +++++++++++++---
|
|
Florian Festi |
3913b4 |
rpmio/CMakeLists.txt | 2 +-
|
|
Florian Festi |
3913b4 |
rpmio/rpmkeyring.c | 7 +++++-
|
|
Florian Festi |
3913b4 |
rpmio/rpmpgp_internal.c | 15 +++++++++++++
|
|
Florian Festi |
3913b4 |
rpmio/rpmpgp_sequoia.c | 7 ++++++
|
|
Florian Festi |
3913b4 |
tests/rpmi.at | 10 +++++++--
|
|
Florian Festi |
3913b4 |
tests/rpmsigdig.at | 50 +++++++++++++++++++++++++++++++----------
|
|
Florian Festi |
3913b4 |
9 files changed, 116 insertions(+), 19 deletions(-)
|
|
Panu Matilainen |
8a4b8c |
|
|
Florian Festi |
3913b4 |
diff --git a/ci/Dockerfile b/ci/Dockerfile
|
|
Florian Festi |
3913b4 |
index d8f808962..552934fcd 100644
|
|
Florian Festi |
3913b4 |
--- a/ci/Dockerfile
|
|
Florian Festi |
3913b4 |
+++ b/ci/Dockerfile
|
|
Florian Festi |
3913b4 |
@@ -7,6 +7,8 @@ RUN sed -i -e "s:^enabled=.$:enabled=0:g" /etc/yum.repos.d/*openh264.repo
|
|
Florian Festi |
3913b4 |
# dummy for controlling per-repo gpgcheck via Semaphore setup
|
|
Florian Festi |
3913b4 |
RUN sed -i -e "s:^gpgcheck=.$:gpgcheck=1:g" /etc/yum.repos.d/*.repo
|
|
Florian Festi |
3913b4 |
RUN dnf -y update
|
|
Florian Festi |
3913b4 |
+# until 1.4.0 lands in stable
|
|
Florian Festi |
3913b4 |
+RUN dnf -y --enablerepo=updates-testing install "rpm-sequoia-devel >= 1.4.0"
|
|
Florian Festi |
3913b4 |
RUN dnf -y install \
|
|
Florian Festi |
3913b4 |
autoconf \
|
|
Florian Festi |
3913b4 |
cmake \
|
|
Panu Matilainen |
8a4b8c |
diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h
|
|
Florian Festi |
3913b4 |
index 87a2a5bd2..675cbad73 100644
|
|
Panu Matilainen |
8a4b8c |
--- a/include/rpm/rpmpgp.h
|
|
Panu Matilainen |
8a4b8c |
+++ b/include/rpm/rpmpgp.h
|
|
Florian Festi |
3913b4 |
@@ -1009,6 +1009,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid);
|
|
Panu Matilainen |
8a4b8c |
int pgpPrtParams(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
|
|
Panu Matilainen |
8a4b8c |
pgpDigParams * ret);
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
+/** \ingroup rpmpgp
|
|
Panu Matilainen |
8a4b8c |
+ * Parse a OpenPGP packet(s).
|
|
Panu Matilainen |
8a4b8c |
+ * @param pkts OpenPGP packet(s)
|
|
Panu Matilainen |
8a4b8c |
+ * @param pktlen OpenPGP packet(s) length (no. of bytes)
|
|
Panu Matilainen |
8a4b8c |
+ * @param pkttype Expected packet type (signature/key) or 0 for any
|
|
Panu Matilainen |
8a4b8c |
+ * @param[out] ret signature/pubkey packet parameters on success (alloced)
|
|
Panu Matilainen |
8a4b8c |
+ * @param[out] lints error messages and lints
|
|
Panu Matilainen |
8a4b8c |
+ * @return -1 on error, 0 on success
|
|
Panu Matilainen |
8a4b8c |
+ */
|
|
Panu Matilainen |
8a4b8c |
+int pgpPrtParams2(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
|
|
Panu Matilainen |
8a4b8c |
+ pgpDigParams * ret, char **lints);
|
|
Panu Matilainen |
8a4b8c |
+
|
|
Panu Matilainen |
8a4b8c |
/** \ingroup rpmpgp
|
|
Panu Matilainen |
8a4b8c |
* Parse subkey parameters from OpenPGP packet(s).
|
|
Panu Matilainen |
8a4b8c |
* @param pkts OpenPGP packet(s)
|
|
Florian Festi |
3913b4 |
@@ -1186,6 +1198,17 @@ pgpDigParams pgpDigParamsFree(pgpDigParams digp);
|
|
Panu Matilainen |
8a4b8c |
*/
|
|
Florian Festi |
3913b4 |
rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx);
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
+/** \ingroup rpmpgp
|
|
Panu Matilainen |
8a4b8c |
+ * Verify a PGP signature and return a error message or lint.
|
|
Panu Matilainen |
8a4b8c |
+ * @param key public key
|
|
Panu Matilainen |
8a4b8c |
+ * @param sig signature
|
|
Panu Matilainen |
8a4b8c |
+ * @param hashctx digest context
|
|
Panu Matilainen |
8a4b8c |
+ * @param lints error messages and lints
|
|
Panu Matilainen |
8a4b8c |
+ * @return RPMRC_OK on success
|
|
Panu Matilainen |
8a4b8c |
+ */
|
|
Panu Matilainen |
8a4b8c |
+rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx,
|
|
Panu Matilainen |
8a4b8c |
+ char **lints);
|
|
Panu Matilainen |
8a4b8c |
+
|
|
Panu Matilainen |
8a4b8c |
/** \ingroup rpmpgp
|
|
Florian Festi |
3913b4 |
* Return the type of a PGP signature. If `sig` is NULL, or is not a signature,
|
|
Florian Festi |
3913b4 |
* returns -1.
|
|
Panu Matilainen |
8a4b8c |
diff --git a/lib/rpmvs.c b/lib/rpmvs.c
|
|
Panu Matilainen |
8a4b8c |
index a1425ea17..9b2106927 100644
|
|
Panu Matilainen |
8a4b8c |
--- a/lib/rpmvs.c
|
|
Panu Matilainen |
8a4b8c |
+++ b/lib/rpmvs.c
|
|
Panu Matilainen |
8a4b8c |
@@ -193,10 +193,23 @@ static void rpmsinfoInit(const struct vfyinfo_s *vinfo,
|
|
Panu Matilainen |
8a4b8c |
}
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
if (sinfo->type == RPMSIG_SIGNATURE_TYPE) {
|
|
Panu Matilainen |
8a4b8c |
- if (pgpPrtParams(data, dlen, PGPTAG_SIGNATURE, &sinfo->sig)) {
|
|
Panu Matilainen |
8a4b8c |
- rasprintf(&sinfo->msg, _("%s tag %u: invalid OpenPGP signature"),
|
|
Panu Matilainen |
8a4b8c |
- origin, td->tag);
|
|
Panu Matilainen |
8a4b8c |
+ char *lints = NULL;
|
|
Panu Matilainen |
8a4b8c |
+ int ec = pgpPrtParams2(data, dlen, PGPTAG_SIGNATURE, &sinfo->sig, &lints);
|
|
Panu Matilainen |
8a4b8c |
+ if (ec) {
|
|
Panu Matilainen |
8a4b8c |
+ if (lints) {
|
|
Panu Matilainen |
8a4b8c |
+ rasprintf(&sinfo->msg,
|
|
Panu Matilainen |
8a4b8c |
+ ("%s tag %u: invalid OpenPGP signature: %s"),
|
|
Panu Matilainen |
8a4b8c |
+ origin, td->tag, lints);
|
|
Panu Matilainen |
8a4b8c |
+ free(lints);
|
|
Panu Matilainen |
8a4b8c |
+ } else {
|
|
Panu Matilainen |
8a4b8c |
+ rasprintf(&sinfo->msg,
|
|
Panu Matilainen |
8a4b8c |
+ _("%s tag %u: invalid OpenPGP signature"),
|
|
Panu Matilainen |
8a4b8c |
+ origin, td->tag);
|
|
Panu Matilainen |
8a4b8c |
+ }
|
|
Panu Matilainen |
8a4b8c |
goto exit;
|
|
Panu Matilainen |
8a4b8c |
+ } else if (lints) {
|
|
Panu Matilainen |
8a4b8c |
+ rpmlog(RPMLOG_WARNING, "%s\n", lints);
|
|
Panu Matilainen |
8a4b8c |
+ free(lints);
|
|
Panu Matilainen |
8a4b8c |
}
|
|
Panu Matilainen |
8a4b8c |
sinfo->hashalgo = pgpDigParamsAlgo(sinfo->sig, PGPVAL_HASHALGO);
|
|
Panu Matilainen |
8a4b8c |
sinfo->keyid = pgpGrab(pgpDigParamsSignID(sinfo->sig)+4, 4);
|
|
Florian Festi |
3913b4 |
diff --git a/rpmio/CMakeLists.txt b/rpmio/CMakeLists.txt
|
|
Florian Festi |
3913b4 |
index 2fb5794b0..6aa9ab1f1 100644
|
|
Florian Festi |
3913b4 |
--- a/rpmio/CMakeLists.txt
|
|
Florian Festi |
3913b4 |
+++ b/rpmio/CMakeLists.txt
|
|
Florian Festi |
3913b4 |
@@ -21,7 +21,7 @@ if (WITH_INTERNAL_OPENPGP)
|
|
Florian Festi |
3913b4 |
target_link_libraries(librpmio PRIVATE PkgConfig::LIBGCRYPT)
|
|
Florian Festi |
3913b4 |
endif()
|
|
Florian Festi |
3913b4 |
else()
|
|
Florian Festi |
3913b4 |
- pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.3.0)
|
|
Florian Festi |
3913b4 |
+ pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.4.0)
|
|
Florian Festi |
3913b4 |
target_sources(librpmio PRIVATE rpmpgp_sequoia.c)
|
|
Florian Festi |
3913b4 |
target_link_libraries(librpmio PRIVATE PkgConfig::RPMSEQUOIA)
|
|
Florian Festi |
3913b4 |
endif()
|
|
Panu Matilainen |
8a4b8c |
diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c
|
|
Florian Festi |
3913b4 |
index 166ee43a2..e3eb9e6ea 100644
|
|
Panu Matilainen |
8a4b8c |
--- a/rpmio/rpmkeyring.c
|
|
Panu Matilainen |
8a4b8c |
+++ b/rpmio/rpmkeyring.c
|
|
Florian Festi |
3913b4 |
@@ -276,7 +276,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
|
|
Panu Matilainen |
8a4b8c |
pgpkey = key->pgpkey;
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
/* We call verify even if key not found for a signature sanity check */
|
|
Panu Matilainen |
8a4b8c |
- rc = pgpVerifySignature(pgpkey, sig, ctx);
|
|
Panu Matilainen |
8a4b8c |
+ char *lints = NULL;
|
|
Panu Matilainen |
8a4b8c |
+ rc = pgpVerifySignature2(pgpkey, sig, ctx, &lints);
|
|
Panu Matilainen |
8a4b8c |
+ if (lints) {
|
|
Panu Matilainen |
8a4b8c |
+ rpmlog(rc ? RPMLOG_ERR : RPMLOG_WARNING, "%s\n", lints);
|
|
Panu Matilainen |
8a4b8c |
+ free(lints);
|
|
Panu Matilainen |
8a4b8c |
+ }
|
|
Panu Matilainen |
8a4b8c |
}
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
if (keyring)
|
|
Panu Matilainen |
8a4b8c |
diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c
|
|
Florian Festi |
3913b4 |
index ce1d3c27d..82972bcc8 100644
|
|
Panu Matilainen |
8a4b8c |
--- a/rpmio/rpmpgp_internal.c
|
|
Panu Matilainen |
8a4b8c |
+++ b/rpmio/rpmpgp_internal.c
|
|
Florian Festi |
3913b4 |
@@ -1043,6 +1043,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
|
|
Panu Matilainen |
8a4b8c |
return rc;
|
|
Panu Matilainen |
8a4b8c |
}
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
+int pgpPrtParams2(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
|
|
Panu Matilainen |
8a4b8c |
+ pgpDigParams * ret, char **lints)
|
|
Panu Matilainen |
8a4b8c |
+{
|
|
Panu Matilainen |
8a4b8c |
+ if (lints)
|
|
Panu Matilainen |
8a4b8c |
+ *lints = NULL;
|
|
Panu Matilainen |
8a4b8c |
+ return pgpPrtParams(pkts, pktlen, pkttype, ret);
|
|
Panu Matilainen |
8a4b8c |
+}
|
|
Panu Matilainen |
8a4b8c |
+
|
|
Panu Matilainen |
8a4b8c |
int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
|
|
Panu Matilainen |
8a4b8c |
pgpDigParams mainkey, pgpDigParams **subkeys,
|
|
Panu Matilainen |
8a4b8c |
int *subkeysCount)
|
|
Florian Festi |
3913b4 |
@@ -1179,6 +1187,13 @@ exit:
|
|
Florian Festi |
3913b4 |
|
|
Panu Matilainen |
8a4b8c |
}
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
+rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints)
|
|
Panu Matilainen |
8a4b8c |
+{
|
|
Panu Matilainen |
8a4b8c |
+ if (lints)
|
|
Panu Matilainen |
8a4b8c |
+ *lints = NULL;
|
|
Panu Matilainen |
8a4b8c |
+ return pgpVerifySignature(key, sig, hashctx);
|
|
Panu Matilainen |
8a4b8c |
+}
|
|
Panu Matilainen |
8a4b8c |
+
|
|
Panu Matilainen |
8a4b8c |
static pgpArmor decodePkts(uint8_t *b, uint8_t **pkt, size_t *pktlen)
|
|
Panu Matilainen |
8a4b8c |
{
|
|
Panu Matilainen |
8a4b8c |
const char * enc = NULL;
|
|
Panu Matilainen |
8a4b8c |
diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c
|
|
Florian Festi |
3913b4 |
index c6434270a..d0b673953 100644
|
|
Panu Matilainen |
8a4b8c |
--- a/rpmio/rpmpgp_sequoia.c
|
|
Panu Matilainen |
8a4b8c |
+++ b/rpmio/rpmpgp_sequoia.c
|
|
Panu Matilainen |
8a4b8c |
@@ -36,6 +36,9 @@ W(uint32_t, pgpDigParamsCreationTime, (pgpDigParams digp), (digp))
|
|
Panu Matilainen |
8a4b8c |
W(rpmRC, pgpVerifySignature,
|
|
Panu Matilainen |
8a4b8c |
(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx),
|
|
Panu Matilainen |
8a4b8c |
(key, sig, hashctx))
|
|
Panu Matilainen |
8a4b8c |
+W(rpmRC, pgpVerifySignature2,
|
|
Panu Matilainen |
8a4b8c |
+ (pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints),
|
|
Panu Matilainen |
8a4b8c |
+ (key, sig, hashctx, lints))
|
|
Panu Matilainen |
8a4b8c |
W(int, pgpPubkeyKeyID,
|
|
Panu Matilainen |
8a4b8c |
(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid),
|
|
Panu Matilainen |
8a4b8c |
(pkt, pktlen, keyid))
|
|
Panu Matilainen |
8a4b8c |
@@ -51,6 +54,10 @@ W(int, pgpPubKeyCertLen,
|
|
Panu Matilainen |
8a4b8c |
W(int, pgpPrtParams,
|
|
Panu Matilainen |
8a4b8c |
(const uint8_t *pkts, size_t pktlen, unsigned int pkttype, pgpDigParams *ret),
|
|
Panu Matilainen |
8a4b8c |
(pkts, pktlen, pkttype, ret))
|
|
Panu Matilainen |
8a4b8c |
+W(int, pgpPrtParams2,
|
|
Panu Matilainen |
8a4b8c |
+ (const uint8_t *pkts, size_t pktlen, unsigned int pkttype, pgpDigParams *ret,
|
|
Panu Matilainen |
8a4b8c |
+ char **lints),
|
|
Panu Matilainen |
8a4b8c |
+ (pkts, pktlen, pkttype, ret, lints))
|
|
Panu Matilainen |
8a4b8c |
W(int, pgpPrtParamsSubkeys,
|
|
Panu Matilainen |
8a4b8c |
(const uint8_t *pkts, size_t pktlen,
|
|
Panu Matilainen |
8a4b8c |
pgpDigParams mainkey, pgpDigParams **subkeys,
|
|
Panu Matilainen |
8a4b8c |
diff --git a/tests/rpmi.at b/tests/rpmi.at
|
|
Florian Festi |
3913b4 |
index 9d74cf689..423d97bca 100644
|
|
Panu Matilainen |
8a4b8c |
--- a/tests/rpmi.at
|
|
Panu Matilainen |
8a4b8c |
+++ b/tests/rpmi.at
|
|
Florian Festi |
3913b4 |
@@ -342,7 +342,7 @@ AT_CLEANUP
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
AT_SETUP([rpm -U <corrupted signed 1>])
|
|
Panu Matilainen |
8a4b8c |
AT_KEYWORDS([install])
|
|
Panu Matilainen |
8a4b8c |
-AT_CHECK([
|
|
Panu Matilainen |
8a4b8c |
+AT_CHECK_UNQUOTED([
|
|
Panu Matilainen |
8a4b8c |
RPMDB_INIT
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
pkg="hello-2.0-1.x86_64-signed.rpm"
|
|
Florian Festi |
3913b4 |
@@ -355,7 +355,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \
|
|
Panu Matilainen |
8a4b8c |
],
|
|
Panu Matilainen |
8a4b8c |
[1],
|
|
Panu Matilainen |
8a4b8c |
[],
|
|
Panu Matilainen |
8a4b8c |
-[error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
|
|
Panu Matilainen |
8a4b8c |
+[`if test x$PGP = xinternal; then
|
|
Panu Matilainen |
8a4b8c |
+ echo 'error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
|
|
Panu Matilainen |
8a4b8c |
+else
|
|
Panu Matilainen |
8a4b8c |
+ echo 'error: /tmp/hello-2.0-1.x86_64-signed.rpm: Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' Failed to parse Signature Packet'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' because: Malformed packet: Subpacket extends beyond the end of the subpacket area)'
|
|
Panu Matilainen |
8a4b8c |
+fi`
|
|
Panu Matilainen |
8a4b8c |
error: /tmp/hello-2.0-1.x86_64-signed.rpm cannot be installed
|
|
Panu Matilainen |
8a4b8c |
])
|
|
Panu Matilainen |
8a4b8c |
AT_CLEANUP
|
|
Panu Matilainen |
8a4b8c |
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
|
|
Florian Festi |
3913b4 |
index 9fb3febc9..df1f669e4 100644
|
|
Panu Matilainen |
8a4b8c |
--- a/tests/rpmsigdig.at
|
|
Panu Matilainen |
8a4b8c |
+++ b/tests/rpmsigdig.at
|
|
Florian Festi |
3913b4 |
@@ -386,17 +386,17 @@ AT_CHECK([
|
|
Florian Festi |
3913b4 |
RPMDB_INIT
|
|
Florian Festi |
3913b4 |
|
|
Florian Festi |
3913b4 |
echo Checking package before importing key:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
echo Importing key:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
echo Checking for key:
|
|
Florian Festi |
3913b4 |
runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
|
|
Florian Festi |
3913b4 |
echo Checking package after importing key:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
echo Checking package after importing key, no digest:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
echo Checking package after importing key, no signature:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
],
|
|
Florian Festi |
3913b4 |
[0],
|
|
Florian Festi |
3913b4 |
[[Checking package before importing key:
|
|
Florian Festi |
3913b4 |
@@ -416,6 +416,10 @@ Checking for key:
|
|
Florian Festi |
3913b4 |
Version : eb04e625
|
|
Florian Festi |
3913b4 |
Checking package after importing key:
|
|
Florian Festi |
3913b4 |
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
Florian Festi |
3913b4 |
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
Florian Festi |
3913b4 |
+ Key 1F71177215217EE0 invalid: key is not alive
|
|
Florian Festi |
3913b4 |
+ because: The subkey is not live
|
|
Florian Festi |
3913b4 |
+ because: Expired on 2022-04-12T00:00:15Z
|
|
Florian Festi |
3913b4 |
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
Florian Festi |
3913b4 |
Header DSA signature: NOTFOUND
|
|
Florian Festi |
3913b4 |
Header SHA256 digest: OK
|
|
Florian Festi |
3913b4 |
@@ -427,6 +431,10 @@ Checking package after importing key:
|
|
Florian Festi |
3913b4 |
1
|
|
Florian Festi |
3913b4 |
Checking package after importing key, no digest:
|
|
Florian Festi |
3913b4 |
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
Florian Festi |
3913b4 |
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
Florian Festi |
3913b4 |
+ Key 1F71177215217EE0 invalid: key is not alive
|
|
Florian Festi |
3913b4 |
+ because: The subkey is not live
|
|
Florian Festi |
3913b4 |
+ because: Expired on 2022-04-12T00:00:15Z
|
|
Florian Festi |
3913b4 |
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
Florian Festi |
3913b4 |
Header DSA signature: NOTFOUND
|
|
Florian Festi |
3913b4 |
RSA signature: NOTFOUND
|
|
Florian Festi |
3913b4 |
@@ -455,15 +463,15 @@ RPMDB_INIT
|
|
Florian Festi |
3913b4 |
echo Checking package before importing key:
|
|
Florian Festi |
3913b4 |
runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
echo Importing key:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
echo Checking for key:
|
|
Florian Festi |
3913b4 |
runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
|
|
Florian Festi |
3913b4 |
echo Checking package after importing key:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
echo Checking package after importing key, no digest:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
echo Checking package after importing key, no signature:
|
|
Florian Festi |
3913b4 |
-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
|
|
Florian Festi |
3913b4 |
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
|
|
Florian Festi |
3913b4 |
],
|
|
Florian Festi |
3913b4 |
[0],
|
|
Florian Festi |
3913b4 |
[[Checking package before importing key:
|
|
Florian Festi |
3913b4 |
@@ -483,6 +491,8 @@ Checking for key:
|
|
Florian Festi |
3913b4 |
Version : eb04e625
|
|
Florian Festi |
3913b4 |
Checking package after importing key:
|
|
Florian Festi |
3913b4 |
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
Florian Festi |
3913b4 |
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
Florian Festi |
3913b4 |
+ Key 1F71177215217EE0 is invalid: key is revoked
|
|
Florian Festi |
3913b4 |
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
Florian Festi |
3913b4 |
Header DSA signature: NOTFOUND
|
|
Florian Festi |
3913b4 |
Header SHA256 digest: OK
|
|
Florian Festi |
3913b4 |
@@ -494,6 +504,8 @@ Checking package after importing key:
|
|
Florian Festi |
3913b4 |
1
|
|
Florian Festi |
3913b4 |
Checking package after importing key, no digest:
|
|
Florian Festi |
3913b4 |
/data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
|
|
Florian Festi |
3913b4 |
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
|
|
Florian Festi |
3913b4 |
+ Key 1F71177215217EE0 is invalid: key is revoked
|
|
Florian Festi |
3913b4 |
Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
|
|
Florian Festi |
3913b4 |
Header DSA signature: NOTFOUND
|
|
Florian Festi |
3913b4 |
RSA signature: NOTFOUND
|
|
Florian Festi |
3913b4 |
@@ -740,7 +752,7 @@ AT_CLEANUP
|
|
Panu Matilainen |
8a4b8c |
# Test pre-built corrupted package verification (corrupted signature)
|
|
Panu Matilainen |
8a4b8c |
AT_SETUP([rpmkeys -Kv <corrupted signed> 1])
|
|
Panu Matilainen |
8a4b8c |
AT_KEYWORDS([rpmkeys digest signature])
|
|
Panu Matilainen |
8a4b8c |
-AT_CHECK([
|
|
Panu Matilainen |
8a4b8c |
+AT_CHECK_UNQUOTED([
|
|
Panu Matilainen |
8a4b8c |
RPMDB_INIT
|
|
Panu Matilainen |
8a4b8c |
|
|
Panu Matilainen |
8a4b8c |
pkg="hello-2.0-1.x86_64-signed.rpm"
|
|
Florian Festi |
3913b4 |
@@ -754,14 +766,28 @@ runroot rpmkeys -Kv /tmp/${pkg}
|
|
Panu Matilainen |
8a4b8c |
],
|
|
Panu Matilainen |
8a4b8c |
[1],
|
|
Panu Matilainen |
8a4b8c |
[/tmp/hello-2.0-1.x86_64-signed.rpm:
|
|
Panu Matilainen |
8a4b8c |
- Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
|
|
Panu Matilainen |
8a4b8c |
+`if test x$PGP = xinternal; then
|
|
Panu Matilainen |
8a4b8c |
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
|
|
Panu Matilainen |
8a4b8c |
+else
|
|
Panu Matilainen |
8a4b8c |
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' Failed to parse Signature Packet'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' because: Malformed MPI: leading bit is not set: expected bit 1 to be set in 0 (0))'
|
|
Panu Matilainen |
8a4b8c |
+fi`
|
|
Panu Matilainen |
8a4b8c |
Header SHA256 digest: OK
|
|
Panu Matilainen |
8a4b8c |
Header SHA1 digest: OK
|
|
Panu Matilainen |
8a4b8c |
Payload SHA256 digest: OK
|
|
Panu Matilainen |
8a4b8c |
V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
|
|
Panu Matilainen |
8a4b8c |
MD5 digest: OK
|
|
Panu Matilainen |
8a4b8c |
/tmp/hello-2.0-1.x86_64-signed.rpm:
|
|
Panu Matilainen |
8a4b8c |
- Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
|
|
Panu Matilainen |
8a4b8c |
+`if test x$PGP = xinternal; then
|
|
Panu Matilainen |
8a4b8c |
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)'
|
|
Panu Matilainen |
8a4b8c |
+else
|
|
Panu Matilainen |
8a4b8c |
+ echo ' Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' Failed to parse Signature Packet'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.'
|
|
Panu Matilainen |
8a4b8c |
+ echo ' because: Malformed MPI: leading bit is not set: expected bit 1 to be set in 0 (0))'
|
|
Panu Matilainen |
8a4b8c |
+fi`
|
|
Panu Matilainen |
8a4b8c |
Header SHA256 digest: OK
|
|
Panu Matilainen |
8a4b8c |
Header SHA1 digest: OK
|
|
Panu Matilainen |
8a4b8c |
Payload SHA256 digest: OK
|
|
Panu Matilainen |
8a4b8c |
--
|
|
Florian Festi |
3913b4 |
2.40.1
|
|
Panu Matilainen |
8a4b8c |
|