From 1f55186cae77f006a9eb15bb58da50ac4dda9514 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Wed, 16 Aug 2017 15:58:05 +0300 Subject: [PATCH] Really ignore unknown tags in the signature header (#1480492) Rpm >= 4.14 introduces an SHA256 digest on the header. Older versions of course know nothing about it, but they're supposed to simply ignore anything unknown in the signature header. Rpm 4.13 didn't, ugh. Also make the testsuite not fail 90% of the cases due to recent NSS versions require /dev/urandom presence. --- rpm-4.13.0-testsuite-nss.patch | 21 +++++++++++++++++++++ rpm-4.13.0-unknown-sigtags.patch | 25 +++++++++++++++++++++++++ rpm.spec | 8 +++++++- 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 rpm-4.13.0-testsuite-nss.patch create mode 100644 rpm-4.13.0-unknown-sigtags.patch diff --git a/rpm-4.13.0-testsuite-nss.patch b/rpm-4.13.0-testsuite-nss.patch new file mode 100644 index 0000000..d5725d0 --- /dev/null +++ b/rpm-4.13.0-testsuite-nss.patch @@ -0,0 +1,21 @@ +commit 36db47bf59213befbb0afb37032b82e634c7ba78 +Author: Panu Matilainen +Date: Wed May 10 09:17:20 2017 +0300 + + Fix testsuite with newer NSS versions which require /dev/urandom + + (cherry picked from commit 9e3256d2e8fa1bed042f7c4ded7e40e232342539) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 7a5cc6544..1e71d685f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -109,7 +109,7 @@ testing$(bindir)/rpmbuild: ../rpmbuild + $(MAKE) DESTDIR=`pwd`/${subdir}/testing install) + cp -r ${srcdir}/data/ testing/ + for d in dev etc magic tmp var; do if [ ! -d testing/$${d} ]; then mkdir testing/$${d}; fi; done +- for node in stdin stderr stdout null; do ln -s /dev/$${node} testing/dev/$${node}; done ++ for node in urandom stdin stderr stdout null; do ln -s /dev/$${node} testing/dev/$${node}; done + for cf in hosts resolv.conf passwd shadow group gshadow mtab fstab; do [ -f /etc/$${cf} ] && ln -s /etc/$${cf} testing/etc/$${cf}; done + ln -s ../$(bindir) testing/usr/bin + for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch; do p=`which $${prog}`; ln -s $${p} testing/$${p}; done diff --git a/rpm-4.13.0-unknown-sigtags.patch b/rpm-4.13.0-unknown-sigtags.patch new file mode 100644 index 0000000..f2355eb --- /dev/null +++ b/rpm-4.13.0-unknown-sigtags.patch @@ -0,0 +1,25 @@ +commit 5e311d32e4079bf7f2db001d4f08db3ac0d93af9 +Author: Panu Matilainen +Date: Fri Aug 11 12:48:23 2017 +0300 + + Really ignore unknown signature tags (RhBug:1480407) + + Rather embarrassingly, rpm 4.13 fails rpmkeys -K signature verification + of rpm 4.14 packages because it doesn't really ignore unknown + signature tags like it claims to, and should. And so it reports a + bogus failure on the new SHA256 header-only digest. This bug as it is + only exists in 4.13.x, older versions are fine and >= 4.14 only + ever looks for tags it knows about. + +diff --git a/lib/signature.c b/lib/signature.c +index 1b9fe345f..41bf85893 100644 +--- a/lib/signature.c ++++ b/lib/signature.c +@@ -71,6 +71,7 @@ rpmRC rpmSigInfoParse(rpmtd td, const char *origin, + break; + default: + /* anything unknown just falls through for now */ ++ sinfo->type = RPMSIG_OTHER_TYPE; + break; + } + diff --git a/rpm.spec b/rpm.spec index 9444f10..5ba7cc6 100644 --- a/rpm.spec +++ b/rpm.spec @@ -29,7 +29,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}5%{?dist} +Release: %{?snapver:0.%{snapver}.}6%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ Source0: http://rpm.org/releases/%{srcdir}/%{name}-%{srcver}.tar.bz2 @@ -53,6 +53,8 @@ Patch5: rpm-4.12.0-rpm2cpio-hack.patch # Patches already upstream: Patch100: rpm-4.13.0-python-rpmsign.patch +Patch101: rpm-4.13.0-unknown-sigtags.patch +Patch102: rpm-4.13.0-testsuite-nss.patch Patch133: rpm-4.13.x-pythondistdeps.patch Patch134: rpm-4.13.x-pythondistdeps-Makefile.patch @@ -573,6 +575,10 @@ exit 0 %doc doc/librpm/html/* %changelog +* Wed Aug 16 2017 Panu Matilainen - 4.13.0.1-6 +- Really ignore unknown tags in the signature header (#1480492) +- Fix testsuite with recent NSS-versions + * Tue May 23 2017 Panu Matilainen - 4.13.0.1-5 - Fix rpmsign python module import failing (#1462671)