Really ignore unknown tags in the signature header (#1480492)

Rpm >= 4.14 introduces an SHA256 digest on the header. Older versions
of course know nothing about it, but they're supposed to simply
ignore anything unknown in the signature header. Rpm 4.13 didn't, ugh.

Also make the testsuite not fail 90% of the cases due to recent
NSS versions require /dev/urandom presence.

rpm-4.13.0-testsuite-nss.patch

@@ -0,0 +1,21 @@
+commit 36db47bf59213befbb0afb37032b82e634c7ba78
+Author: Panu Matilainen <pmatilai@redhat.com>
+Date:   Wed May 10 09:17:20 2017 +0300
+
+    Fix testsuite with newer NSS versions which require /dev/urandom
+    
+    (cherry picked from commit 9e3256d2e8fa1bed042f7c4ded7e40e232342539)
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 7a5cc6544..1e71d685f 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -109,7 +109,7 @@ testing$(bindir)/rpmbuild: ../rpmbuild
+ 	          $(MAKE) DESTDIR=`pwd`/${subdir}/testing install)
+ 	cp -r ${srcdir}/data/ testing/
+ 	for d in dev etc magic tmp var; do if [ ! -d testing/$${d} ]; then mkdir testing/$${d}; fi; done
+-	for node in stdin stderr stdout null; do ln -s /dev/$${node} testing/dev/$${node}; done
++	for node in urandom stdin stderr stdout null; do ln -s /dev/$${node} testing/dev/$${node}; done
+ 	for cf in hosts resolv.conf passwd shadow group gshadow mtab fstab; do [ -f /etc/$${cf} ] && ln -s /etc/$${cf} testing/etc/$${cf}; done
+ 	ln -s ../$(bindir) testing/usr/bin
+ 	for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch; do p=`which $${prog}`; ln -s $${p} testing/$${p}; done

rpm-4.13.0-unknown-sigtags.patch

@@ -0,0 +1,25 @@
+commit 5e311d32e4079bf7f2db001d4f08db3ac0d93af9
+Author: Panu Matilainen <pmatilai@redhat.com>
+Date:   Fri Aug 11 12:48:23 2017 +0300
+
+    Really ignore unknown signature tags (RhBug:1480407)
+    
+    Rather embarrassingly, rpm 4.13 fails rpmkeys -K signature verification
+    of rpm 4.14 packages because it doesn't really ignore unknown
+    signature tags like it claims to, and should. And so it reports a
+    bogus failure on the new SHA256 header-only digest. This bug as it is
+    only exists in 4.13.x, older versions are fine and >= 4.14 only
+    ever looks for tags it knows about.
+
+diff --git a/lib/signature.c b/lib/signature.c
+index 1b9fe345f..41bf85893 100644
+--- a/lib/signature.c
++++ b/lib/signature.c
+@@ -71,6 +71,7 @@ rpmRC rpmSigInfoParse(rpmtd td, const char *origin,
+ 	break;
+     default:
+ 	/* anything unknown just falls through for now */
++	sinfo->type = RPMSIG_OTHER_TYPE;
+ 	break;
+     }
+ 

rpm.spec

@@ -29,7 +29,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}5%{?dist}
+Release: %{?snapver:0.%{snapver}.}6%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/%{srcdir}/%{name}-%{srcver}.tar.bz2
@@ -53,6 +53,8 @@ Patch5: rpm-4.12.0-rpm2cpio-hack.patch
 
 # Patches already upstream:
 Patch100: rpm-4.13.0-python-rpmsign.patch
+Patch101: rpm-4.13.0-unknown-sigtags.patch
+Patch102: rpm-4.13.0-testsuite-nss.patch
 
 Patch133: rpm-4.13.x-pythondistdeps.patch
 Patch134: rpm-4.13.x-pythondistdeps-Makefile.patch
@@ -573,6 +575,10 @@ exit 0
 %doc doc/librpm/html/*
 
 %changelog
+* Wed Aug 16 2017 Panu Matilainen <pmatilai@redhat.com> - 4.13.0.1-6
+- Really ignore unknown tags in the signature header (#1480492)
+- Fix testsuite with recent NSS-versions
+
 * Tue May 23 2017 Panu Matilainen <pmatilai@redhat.com> - 4.13.0.1-5
 - Fix rpmsign python module import failing (#1462671)