Rebase to the 4.19 alpha release (4.18.90)

This uses the new cmake build scripts so several pieces of the package had to be adjusted.
2023-05-05 13:34:13 +02:00 · 2023-05-05 13:34:13 +02:00 · 3913b45078
parent 7cdaeb70ca
commit 3913b45078
10 changed files with 401 additions and 112 deletions
--- a/.gitignore
+++ b/.gitignore
@ -56,3 +56,4 @@
 /rpm-4.18.0-rc1.tar.bz2
 /rpm-4.18.0.tar.bz2
 /rpm-4.18.1.tar.bz2
+/rpm-4.18.90.tar.bz2
--- a/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch
+++ b/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch
@ -1,5 +1,4 @@
-From e75ae70ef1a152dac9a066506cafd2bbf7b2565e Mon Sep 17 00:00:00 2001
-Message-Id: <e75ae70ef1a152dac9a066506cafd2bbf7b2565e.1681989428.git.pmatilai@redhat.com>
+From 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3 Mon Sep 17 00:00:00 2001
 From: "Neal H. Walfield" <neal@pep.foundation>
 Date: Wed, 12 Apr 2023 17:56:19 +0200
 Subject: [PATCH] Add pgpVerifySignature2() and pgpPrtParams2()
@ -16,37 +15,36 @@ and
 https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1482646398

 Fixes #2483.
-
-This is a backport of commit 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3
 ---
- configure.ac            |  2 +-
- include/rpm/rpmpgp.h    | 23 +++++++++++++++++++++++
- lib/rpmvs.c             | 19 ++++++++++++++++---
- rpmio/rpmkeyring.c      |  7 ++++++-
- rpmio/rpmpgp_internal.c | 15 +++++++++++++++
- rpmio/rpmpgp_sequoia.c  |  7 +++++++
- tests/rpmi.at           | 10 ++++++++--
- tests/rpmsigdig.at      | 20 +++++++++++++++++---
- 9 files changed, 95 insertions(+), 10 deletions(-)
+ ci/Dockerfile           |  2 ++
+ include/rpm/rpmpgp.h    | 23 +++++++++++++++++++
+ lib/rpmvs.c             | 19 +++++++++++++---
+ rpmio/CMakeLists.txt    |  2 +-
+ rpmio/rpmkeyring.c      |  7 +++++-
+ rpmio/rpmpgp_internal.c | 15 +++++++++++++
+ rpmio/rpmpgp_sequoia.c  |  7 ++++++
+ tests/rpmi.at           | 10 +++++++--
+ tests/rpmsigdig.at      | 50 +++++++++++++++++++++++++++++++----------
+ 9 files changed, 116 insertions(+), 19 deletions(-)

-diff --git a/configure.ac b/configure.ac
-index e6676c581..1d173e4e2 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -384,7 +384,7 @@ AC_SUBST(WITH_LIBGCRYPT_LIB)
- WITH_RPM_SEQUOIA_INCLUDE=
- WITH_RPM_SEQUOIA_LIB=
- if test "$with_crypto" = sequoia ; then
-  PKG_CHECK_MODULES([RPM_SEQUOIA], [rpm-sequoia], [have_rpm_sequoia=yes], [have_rpm_sequoia=no])
-+  PKG_CHECK_MODULES([RPM_SEQUOIA], [rpm-sequoia >= 1.4.0], [have_rpm_sequoia=yes], [have_rpm_sequoia=no])
-   if test "$have_rpm_sequoia" = "yes"; then
-      WITH_RPM_SEQUOIA_INCLUDE="$RPM_SEQUOIA_CFLAGS"
-      WITH_RPM_SEQUOIA_LIB="$RPM_SEQUOIA_LIBS"
+diff --git a/ci/Dockerfile b/ci/Dockerfile
+index d8f808962..552934fcd 100644
+--- a/ci/Dockerfile
+++ b/ci/Dockerfile
+@@ -7,6 +7,8 @@ RUN sed -i -e "s:^enabled=.$:enabled=0:g" /etc/yum.repos.d/*openh264.repo
+ # dummy for controlling per-repo gpgcheck via Semaphore setup
+ RUN sed -i -e "s:^gpgcheck=.$:gpgcheck=1:g" /etc/yum.repos.d/*.repo
+ RUN dnf -y update
+# until 1.4.0 lands in stable
+RUN dnf -y --enablerepo=updates-testing install "rpm-sequoia-devel >= 1.4.0"
+ RUN dnf -y install \
+   autoconf \
+   cmake \
 diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h
-index a3238a643..3352129b8 100644
+index 87a2a5bd2..675cbad73 100644
 --- a/include/rpm/rpmpgp.h
 +++ b/include/rpm/rpmpgp.h
-@@ -1013,6 +1013,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid);
+@@ -1009,6 +1009,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid);
 int pgpPrtParams(const uint8_t *pkts, size_t pktlen, unsigned int pkttype,
 		 pgpDigParams * ret);
 
@ -65,9 +63,9 @@ index a3238a643..3352129b8 100644
 /** \ingroup rpmpgp
  * Parse subkey parameters from OpenPGP packet(s).
  * @param pkts		OpenPGP packet(s)
-@@ -1191,6 +1203,17 @@ const uint8_t *pgpDigParamsSignID(pgpDigParams digp);
+@@ -1186,6 +1198,17 @@ pgpDigParams pgpDigParamsFree(pgpDigParams digp);
  */
- const char *pgpDigParamsUserID(pgpDigParams digp);
+ rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx);
 
 +/** \ingroup rpmpgp
 + * Verify a PGP signature and return a error message or lint.
@ -81,8 +79,8 @@ index a3238a643..3352129b8 100644
 +                          char **lints);
 +
 /** \ingroup rpmpgp
-  * Retrieve the object's version.
-  *
+  * Return the type of a PGP signature. If `sig` is NULL, or is not a signature,
+  * returns -1.
 diff --git a/lib/rpmvs.c b/lib/rpmvs.c
 index a1425ea17..9b2106927 100644
 --- a/lib/rpmvs.c
@ -114,11 +112,24 @@ index a1425ea17..9b2106927 100644
 	}
 	sinfo->hashalgo = pgpDigParamsAlgo(sinfo->sig, PGPVAL_HASHALGO);
 	sinfo->keyid = pgpGrab(pgpDigParamsSignID(sinfo->sig)+4, 4);
+diff --git a/rpmio/CMakeLists.txt b/rpmio/CMakeLists.txt
+index 2fb5794b0..6aa9ab1f1 100644
+--- a/rpmio/CMakeLists.txt
+++ b/rpmio/CMakeLists.txt
+@@ -21,7 +21,7 @@ if (WITH_INTERNAL_OPENPGP)
+ 		target_link_libraries(librpmio PRIVATE PkgConfig::LIBGCRYPT)
+ 	endif()
+ else()
+-	pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.3.0)
+	pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.4.0)
+ 	target_sources(librpmio PRIVATE rpmpgp_sequoia.c)
+ 	target_link_libraries(librpmio PRIVATE PkgConfig::RPMSEQUOIA)
+ endif()
 diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c
-index db72892d9..712004bc8 100644
+index 166ee43a2..e3eb9e6ea 100644
 --- a/rpmio/rpmkeyring.c
 +++ b/rpmio/rpmkeyring.c
-@@ -328,7 +328,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
+@@ -276,7 +276,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
 	    pgpkey = key->pgpkey;
 
 	/* We call verify even if key not found for a signature sanity check */
@ -133,10 +144,10 @@ index db72892d9..712004bc8 100644
 
     if (keyring)
 diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c
-index 0fcd220e4..a049c09b2 100644
+index ce1d3c27d..82972bcc8 100644
 --- a/rpmio/rpmpgp_internal.c
 +++ b/rpmio/rpmpgp_internal.c
-@@ -1095,6 +1095,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+@@ -1043,6 +1043,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
     return rc;
 }
 
@ -151,8 +162,8 @@ index 0fcd220e4..a049c09b2 100644
 int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
 			pgpDigParams mainkey, pgpDigParams **subkeys,
 			int *subkeysCount)
-@@ -1264,6 +1272,13 @@ rpmRC pgpVerifySig(pgpDig dig, DIGEST_CTX hashctx)
- 			      pgpDigGetParams(dig, PGPTAG_SIGNATURE), hashctx);
+@@ -1179,6 +1187,13 @@ exit:
+ 
 }
 
 +rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints)
@ -166,7 +177,7 @@ index 0fcd220e4..a049c09b2 100644
 {
     const char * enc = NULL;
 diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c
-index e01acd0e9..2141bbf30 100644
+index c6434270a..d0b673953 100644
 --- a/rpmio/rpmpgp_sequoia.c
 +++ b/rpmio/rpmpgp_sequoia.c
@@ -36,6 +36,9 @@ W(uint32_t, pgpDigParamsCreationTime, (pgpDigParams digp), (digp))
@ -191,10 +202,10 @@ index e01acd0e9..2141bbf30 100644
   (const uint8_t *pkts, size_t pktlen,
    pgpDigParams mainkey, pgpDigParams **subkeys,
 diff --git a/tests/rpmi.at b/tests/rpmi.at
-index 7c8f25eff..d67185d5b 100644
+index 9d74cf689..423d97bca 100644
 --- a/tests/rpmi.at
 +++ b/tests/rpmi.at
-@@ -254,7 +254,7 @@ AT_CLEANUP
+@@ -342,7 +342,7 @@ AT_CLEANUP
 
 AT_SETUP([rpm -U <corrupted signed 1>])
 AT_KEYWORDS([install])
@ -203,7 +214,7 @@ index 7c8f25eff..d67185d5b 100644
 RPMDB_INIT
 
 pkg="hello-2.0-1.x86_64-signed.rpm"
-@@ -267,7 +267,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \
+@@ -355,7 +355,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \
 ],
 [1],
 [],
@ -219,10 +230,93 @@ index 7c8f25eff..d67185d5b 100644
 ])
 AT_CLEANUP
 diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
-index 5b1c6c4a6..e5482735a 100644
+index 9fb3febc9..df1f669e4 100644
 --- a/tests/rpmsigdig.at
 +++ b/tests/rpmsigdig.at
-@@ -539,7 +539,7 @@ AT_CLEANUP
+@@ -386,17 +386,17 @@ AT_CHECK([
+ RPMDB_INIT
+ 
+ echo Checking package before importing key:
+-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
+ echo Importing key:
+-runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc; echo $?
+runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc 2>&1; echo $?
+ echo Checking for key:
+ runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
+ echo Checking package after importing key:
+-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
+ echo Checking package after importing key, no digest:
+-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
+ echo Checking package after importing key, no signature:
+-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
+ ],
+ [0],
+ [[Checking package before importing key:
+@@ -416,6 +416,10 @@ Checking for key:
+ Version     : eb04e625
+ Checking package after importing key:
+ /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
+  Key 1F71177215217EE0 invalid: key is not alive
+      because: The subkey is not live
+      because: Expired on 2022-04-12T00:00:15Z
+     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
+     Header DSA signature: NOTFOUND
+     Header SHA256 digest: OK
+@@ -427,6 +431,10 @@ Checking package after importing key:
+ 1
+ Checking package after importing key, no digest:
+ /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
+  Key 1F71177215217EE0 invalid: key is not alive
+      because: The subkey is not live
+      because: Expired on 2022-04-12T00:00:15Z
+     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
+     Header DSA signature: NOTFOUND
+     RSA signature: NOTFOUND
+@@ -455,15 +463,15 @@ RPMDB_INIT
+ echo Checking package before importing key:
+ runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+ echo Importing key:
+-runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc; echo $?
+runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc 2>&1; echo $?
+ echo Checking for key:
+ runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1
+ echo Checking package after importing key:
+-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
+ echo Checking package after importing key, no digest:
+-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
+ echo Checking package after importing key, no signature:
+-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $?
+runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $?
+ ],
+ [0],
+ [[Checking package before importing key:
+@@ -483,6 +491,8 @@ Checking for key:
+ Version     : eb04e625
+ Checking package after importing key:
+ /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
+  Key 1F71177215217EE0 is invalid: key is revoked
+     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
+     Header DSA signature: NOTFOUND
+     Header SHA256 digest: OK
+@@ -494,6 +504,8 @@ Checking package after importing key:
+ 1
+ Checking package after importing key, no digest:
+ /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
+error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice <alice@example.org>):
+  Key 1F71177215217EE0 is invalid: key is revoked
+     Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED
+     Header DSA signature: NOTFOUND
+     RSA signature: NOTFOUND
+@@ -740,7 +752,7 @@ AT_CLEANUP
 # Test pre-built corrupted package verification (corrupted signature)
 AT_SETUP([rpmkeys -Kv <corrupted signed> 1])
 AT_KEYWORDS([rpmkeys digest signature])
@ -231,7 +325,7 @@ index 5b1c6c4a6..e5482735a 100644
 RPMDB_INIT
 
 pkg="hello-2.0-1.x86_64-signed.rpm"
-@@ -553,14 +553,28 @@ runroot rpmkeys -Kv /tmp/${pkg}
+@@ -754,14 +766,28 @@ runroot rpmkeys -Kv /tmp/${pkg}
 ],
 [1],
 [/tmp/hello-2.0-1.x86_64-signed.rpm:
@ -263,5 +357,5 @@ index 5b1c6c4a6..e5482735a 100644
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
 -- 
-2.40.0
+2.40.1

--- a/0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch
+++ b/0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch
@ -0,0 +1,139 @@
+From 9a9514e665c30554a4d72c7c79475af315b83dc3 Mon Sep 17 00:00:00 2001
+Message-Id: <9a9514e665c30554a4d72c7c79475af315b83dc3.1683531413.git.pmatilai@redhat.com>
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Mon, 8 May 2023 09:26:46 +0300
+Subject: [PATCH] Forward-port obsoleted crypto needed by current libdnf
+
+Provide the minimum required bits to allow the old PackageKit-inherited
+signature in libdnf to work until the switch to dnf5 happens, allegedly
+during this release cycle.
+---
+ include/rpm/rpmkeyring.h |  4 ++++
+ include/rpm/rpmpgp.h     | 15 ++++++++++++
+ rpmio/rpmkeyring.c       | 52 ++++++++++++++++++++++++++++++++++++++++
+ rpmio/rpmpgp_sequoia.c   | 11 +++++++++
+ 4 files changed, 82 insertions(+)
+
+diff --git a/include/rpm/rpmkeyring.h b/include/rpm/rpmkeyring.h
+index 3d8d55773..c84292ff8 100644
+--- a/include/rpm/rpmkeyring.h
+++ b/include/rpm/rpmkeyring.h
+@@ -101,6 +101,10 @@ char * rpmPubkeyBase64(rpmPubkey key);
+  */
+ pgpDigParams rpmPubkeyPgpDigParams(rpmPubkey key);
+ 
+/* Obsolete APIs required by libdnf, do not use */
+rpmRC rpmKeyringLookup(rpmKeyring keyring, pgpDig sig);
+pgpDig rpmPubkeyDig(rpmPubkey key);
+
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h
+index 675cbad73..f83642c18 100644
+--- a/include/rpm/rpmpgp.h
+++ b/include/rpm/rpmpgp.h
+@@ -1225,6 +1225,21 @@ int pgpSignatureType(pgpDigParams sig);
+  */
+ char *pgpIdentItem(pgpDigParams digp);
+ 
+/* Obsolete APIs required by libdnf, do not use */
+typedef struct pgpDig_s * pgpDig;
+
+RPM_GNUC_DEPRECATED
+pgpDig pgpNewDig(void);
+
+RPM_GNUC_DEPRECATED
+pgpDig pgpFreeDig(pgpDig dig);
+
+RPM_GNUC_DEPRECATED
+pgpDigParams pgpDigGetParams(pgpDig dig, unsigned int pkttype);
+
+RPM_GNUC_DEPRECATED
+int pgpPrtPkts(const uint8_t *pkts, size_t pktlen, pgpDig dig, int printing);
+
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c
+index e3eb9e6ea..464163895 100644
+--- a/rpmio/rpmkeyring.c
+++ b/rpmio/rpmkeyring.c
+@@ -289,3 +289,55 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx)
+ 
+     return rc;
+ }
+
+rpmRC rpmKeyringLookup(rpmKeyring keyring, pgpDig sig)
+{
+    pthread_rwlock_rdlock(&keyring->lock);
+
+    rpmRC res = RPMRC_NOKEY;
+    pgpDigParams sigp = pgpDigGetParams(sig, PGPTAG_SIGNATURE);
+    rpmPubkey key = findbySig(keyring, sigp);
+
+    if (key) {
+	/*
+ 	 * Callers expect sig to have the key data parsed into pgpDig
+ 	 * on (successful) return, sigh. No need to check for return
+ 	 * here as this is validated at rpmPubkeyNew() already.
+ 	 */
+	pgpPrtPkts(key->pkt, key->pktlen, sig, _print_pkts);
+	res = RPMRC_OK;
+    }
+
+    pthread_rwlock_unlock(&keyring->lock);
+    return res;
+}
+
+pgpDig rpmPubkeyDig(rpmPubkey key)
+{
+    pgpDig dig = NULL;
+    static unsigned char zeros[] = 
+	{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+    int rc;
+    if (key == NULL)
+	return NULL;
+
+    dig = pgpNewDig();
+
+    pthread_rwlock_rdlock(&key->lock);
+    rc = pgpPrtPkts(key->pkt, key->pktlen, dig, _print_pkts);
+    pthread_rwlock_unlock(&key->lock);
+
+    if (rc == 0) {
+	pgpDigParams pubp = pgpDigGetParams(dig, PGPTAG_PUBLIC_KEY);
+	if (!pubp || !memcmp(pgpDigParamsSignID(pubp), zeros, sizeof(zeros)) ||
+            pgpDigParamsCreationTime(pubp) == 0 ||
+            pgpDigParamsUserID(pubp) == NULL) {
+	    rc = -1;
+	}
+    }
+
+    if (rc)
+	dig = pgpFreeDig(dig);
+
+    return dig;
+}
+diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c
+index d0b673953..0c1c848dc 100644
+--- a/rpmio/rpmpgp_sequoia.c
+++ b/rpmio/rpmpgp_sequoia.c
+@@ -80,3 +80,14 @@ W(int, rpmDigestUpdate, (DIGEST_CTX ctx, const void * data, size_t len),
+ W(int, rpmDigestFinal,
+   (DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii),
+   (ctx, datap, lenp, asAscii))
+
+// Minimal backport of APIs required by libdnf until dnf5 takes over
+W(int, pgpPrtPkts,
+  (const uint8_t *pkts, size_t pktlen, pgpDig dig, int printing),
+  (pkts, pktlen, dig, printing))
+W(pgpDig, pgpNewDig, (void), ())
+W(pgpDig, pgpFreeDig, (pgpDig dig), (dig))
+W(pgpDigParams, pgpDigGetParams,
+  (pgpDig dig, unsigned int pkttype),
+  (dig, pkttype))
+
+-- 
+2.40.1
+
--- a/0001-Remove-second-share-dir-from-infodir-and-mandir.patch
+++ b/0001-Remove-second-share-dir-from-infodir-and-mandir.patch
@ -0,0 +1,31 @@
+From 33702961f45567a599bc0f0dac055604dc204fb1 Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Tue, 2 May 2023 09:03:50 +0200
+Subject: [PATCH] Remove second share/ dir from infodir and mandir
+
+cmake variables and the derived macros.
+
+CMAKE_INSTALL_INFODIR and  CMAKE_INSTALL_MANDIR already include the
+datarootdir. So just prepending the prefix is sufficient.
+---
+ CMakeLists.txt | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 230d18d1f..9718505bf 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -67,8 +67,8 @@ function(makemacros)
+ 	set(libdir "\${prefix}/=LIB=")
+ 	set(includedir "\${prefix}/${CMAKE_INSTALL_INCLUDEDIR}")
+ 	set(oldincludedir "${CMAKE_INSTALL_FULL_OLDINCLUDEDIR}")
+-	set(infodir "\${datarootdir}/${CMAKE_INSTALL_INFODIR}")
+-	set(mandir "\${datarootdir}/${CMAKE_INSTALL_MANDIR}")
+	set(infodir "\${prefix}/${CMAKE_INSTALL_INFODIR}")
+	set(mandir "\${prefix}/${CMAKE_INSTALL_MANDIR}")
+ 	set(RUNDIR /run)
+ 
+ 	set(acutils
+-- 
+2.40.1
+
--- a/rpm-4.18.90-disable-sysusers.patch
+++ b/rpm-4.18.90-disable-sysusers.patch
@ -0,0 +1,11 @@
+--- rpm-4.18.90/macros.in.orig	2023-04-17 14:44:14.186653076 +0200
+++ rpm-4.18.90/macros.in	2023-04-17 14:46:25.190322631 +0200
+@@ -133,7 +133,7 @@
+ %_keyringpath		%{_dbpath}/pubkeys/
+ 
+ # sysusers helper binary or script, uncomment to disable
+-%__systemd_sysusers	%{_bindir}/systemd-sysusers
+# %__systemd_sysusers	%{_bindir}/systemd-sysusers
+ 
+ #
+ #	Path to script that creates debug symbols in a /usr/lib/debug
--- a/rpm-4.18.90-weak-user-group.patch
+++ b/rpm-4.18.90-weak-user-group.patch
@ -0,0 +1,11 @@
+--- rpm-4.18.90/macros.in.orig	2023-04-17 14:48:14.802719586 +0200
+++ rpm-4.18.90/macros.in	2023-04-17 14:48:25.268852972 +0200
+@@ -236,7 +236,7 @@
+ %clamp_mtime_to_source_date_epoch 0
+ 
+ #	If enabled, dilute user() and group() requires into recommends
+-#%_use_weak_usergroup_deps 1
+%_use_weak_usergroup_deps 1
+ 
+ #	The directory where newly built binary packages will be written.
+ %_rpmdir		%{_topdir}/RPMS
--- a/rpm-4.18.x-ldflags.patch
+++ b/rpm-4.18.x-ldflags.patch
@ -1,7 +1,7 @@
 diff -up rpm-4.18.1/macros.in.orig rpm-4.18.1/macros.in
 --- rpm-4.18.1/macros.in.orig	2023-03-15 13:57:06.385361527 +0100
 +++ rpm-4.18.1/macros.in	2023-03-15 13:58:09.613971713 +0100
-@@ -727,10 +727,11 @@ package or when debugging this package.\
+@@ -750,11 +750,12 @@ package or when debugging this package.\
   RPM_SOURCE_DIR=\"%{_sourcedir}\"\
   RPM_BUILD_DIR=\"%{_builddir}\"\
   RPM_OPT_FLAGS=\"%{optflags}\"\
@ -9,8 +9,9 @@ diff -up rpm-4.18.1/macros.in.orig rpm-4.18.1/macros.in
   RPM_ARCH=\"%{_arch}\"\
   RPM_OS=\"%{_os}\"\
   RPM_BUILD_NCPUS=\"%{_smp_build_ncpus}\"\
-  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS\
-+  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_LD_FLAGS\
+   RPM_SPECPARTS_DIR=\"%{specpartsdir}\"\
+-  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_SPECPARTS_DIR\
+  export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_SPECPARTS_DIR RPM_LD_FLAGS\
   RPM_DOC_DIR=\"%{_docdir}\"\
   export RPM_DOC_DIR\
   RPM_PACKAGE_NAME=\"%{NAME}\"\
--- a/rpm-4.18.x-revert-pandoc-cond.patch
+++ b/rpm-4.18.x-revert-pandoc-cond.patch
@ -1,12 +0,0 @@
-diff -up rpm-4.18.1/docs/Makefile.am.orig rpm-4.18.1/docs/Makefile.am
--- rpm-4.18.1/docs/Makefile.am.orig	2023-03-15 14:48:27.955720807 +0100
-+++ rpm-4.18.1/docs/Makefile.am	2023-03-15 14:48:43.634626934 +0100
-@@ -1,8 +1,6 @@
- ## Process this file with automake to produce Makefile.in
- 
-if PANDOC
- SUBDIRS = man
-endif
- 
- EXTRA_DIST =
- 
--- a/rpm.spec
+++ b/rpm.spec
@ -30,10 +30,10 @@

 %define rpmhome /usr/lib/rpm

-%global rpmver 4.18.1
+%global rpmver 4.18.90
 #global snapver rc1
-%global baserelease 3
-%global sover 9
+%global baserelease 1
+%global sover 10

 %global srcver %{rpmver}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:rpm-%(echo %{rpmver} | cut -d'.' -f1-2).x}
@ -69,6 +69,7 @@ BuildRequires: debugedit >= 0.3
 BuildRequires: redhat-rpm-config >= 94
 BuildRequires: systemd-rpm-macros
 BuildRequires: gcc make
+BuildRequires: cmake >= 3.18
 BuildRequires: gawk
 BuildRequires: elfutils-devel >= 0.112
 BuildRequires: elfutils-libelf-devel
@ -95,6 +96,15 @@ BuildRequires: libzstd-devel
 BuildRequires: sqlite-devel
 %endif

+# Needed for re-building the documentation and man pages
+# normally those are shipped in the tarball pre-build
+# but need re-building if sources are patched
+%if 0
+BuildRequires: pandoc
+BuildRequires: doxygen
+%endif
+
+
 %if %{with sequoia}
 %global crypto sequoia
 BuildRequires: rpm-sequoia-devel >= 1.4.0
@ -132,17 +142,22 @@ rpm-4.17.x-rpm_dbpath.patch
 rpm-4.18.x-siteconfig.patch
 # In current Fedora, man-pages pkg owns all the localized man directories
 rpm-4.9.90-no-man-dirs.patch
+# Disable new user/group handling

+rpm-4.18.90-disable-sysusers.patch
+rpm-4.18.90-weak-user-group.patch
 # Patches already upstream:
+# ...
+0001-Remove-second-share-dir-from-infodir-and-mandir.patch
 0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch

 # These are not yet upstream
 rpm-4.7.1-geode-i686.patch
 # Probably to be upstreamed in slightly different form
 rpm-4.18.x-ldflags.patch
-# We either need pandoc in buildroot or this patch in order for man pages to
-# actually be installed, choose the latter
-rpm-4.18.x-revert-pandoc-cond.patch
+
+# Needed until dnf catches up
+0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch

 %description
 The RPM Package Manager (RPM) is a powerful command line driven
@ -288,12 +303,14 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
 This plugin blocks systemd from entering idle, sleep or shutdown while an rpm
 transaction is running using the systemd-inhibit mechanism.

+%if %{with libimaevm}
 %package plugin-ima
 Summary: Rpm plugin ima file signatures
 Requires: rpm-libs%{_isa} = %{version}-%{release}

 %description plugin-ima
 %{summary}.
+%endif

 %package plugin-prioreset
 Summary: Rpm plugin for resetting scriptlet priorities for SysV init
@ -351,44 +368,35 @@ change.
 %build
 %set_build_flags

-autoreconf -i -f
-
-# Hardening hack taken from macro %%configure defined in redhat-rpm-config
-for i in $(find . -name ltmain.sh) ; do
-     %{__sed} -i.backup -e 's~compiler_flags=$~compiler_flags="%{_hardened_ldflags}"~' $i
-done;
-
-# Using configure macro has some unwanted side-effects on rpm platform
-# setup, use the old-fashioned way for now only defining minimal paths.
-./configure \
-    --prefix=%{_usr} \
-    --sysconfdir=%{_sysconfdir} \
-    --localstatedir=%{_var} \
-    --sharedstatedir=%{_var}/lib \
-    --libdir=%{_libdir} \
-    --build=%{_target_platform} \
-    --host=%{_target_platform} \
-    --with-vendor=redhat \
-    %{!?with_plugins: --disable-plugins} \
-    --with-lua \
-    --with-selinux \
-    --with-cap \
-    --with-acl \
-    --with-fapolicyd \
-    %{?with_ndb: --enable-ndb} \
-    %{?with_libimaevm: --with-imaevm} \
-    %{?with_fsverity: --with-fsverity} \
-    %{?with_zstd: --enable-zstd} \
-    %{?with_sqlite: --enable-sqlite} \
-    %{?with_bdb_ro: --enable-bdb-ro} \
-    --enable-python \
-    --with-crypto=%{crypto}
+mkdir _build
+cd _build
+cmake \
+      -DCMAKE_INSTALL_PREFIX=%{_usr} \
+      %{?with_bdb_ro:-DENABLE_BDB_RO=ON} \
+      %{!?with_ndb:-DENABLE_NDB=OFF} \
+      %{!?with_sqlite:-DENABLE_SQLITE=OFF} \
+      %{!?with_plugins:-DENABLE_PLUGINS=OFF} \
+      %{?with_fsverity:-DWITH_FSVERITY=ON} \
+      %{?with_libimaevm:-DWITH_IMAEVM=ON} \
+      %{!?with_libarchive:-DWITH_ARCHIVE=OFF} \
+      %{!?with_check:-DENABLE_TESTSUITE=OFF} \
+      %{!?with_sequoia:-DWITH_INTERNAL_OPENPGP=ON} \
+      %{!?with_sequoia:-DWITH_OPENSSL=ON } \
+      -DRPM_VENDOR=redhat \
+  ..

 %make_build

 %install
+cd _build
 %make_install

+# temporarily remove useser handling fileattr
+# as it is currently in systemd-rpm-macros
+rm $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/sysusers.attr
+
+cd ..
+
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}
 install -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}
 install -m 644 %{SOURCE20} $RPM_BUILD_ROOT/%{_unitdir}
@ -406,10 +414,12 @@ install -m 644 scripts/rpm.log ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/rpm
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rpm
 mkdir -p $RPM_BUILD_ROOT%{rpmhome}/macros.d
 mkdir -p $RPM_BUILD_ROOT/usr/lib/sysimage/rpm
+cd _build

 # init an empty database for %ghost'ing for all supported backends
 for be in %{?with_ndb:ndb} %{?with_sqlite:sqlite}; do
-    ./rpmdb --define "_db_backend ${be}" --dbpath=${PWD}/${be} --initdb
+    mkdir ${be}
+    ./rpmdb --rcfile rpmrc --define "_db_backend ${be}" --dbpath=${PWD}/${be} --initdb
    cp -va ${be}/. $RPM_BUILD_ROOT/usr/lib/sysimage/rpm/
 done

@ -427,6 +437,7 @@ rm -rf $RPM_BUILD_ROOT/var/tmp

 %if %{with check}
 %check
+cd _build
 make check TESTSUITEFLAGS=-j%{_smp_build_ncpus} || (cat tests/rpmtests.log; exit 1)
 # rpm >= 4.16.0 testsuite leaves a read-only tree behind, clean it up
 make clean
@ -457,9 +468,13 @@ if [ ! -d /var/lib/rpm ] && [ -d /usr/lib/sysimage/rpm ] && [ ! -f /usr/lib/sysi
    touch /usr/lib/sysimage/rpm/.rpmdbdirsymlink_created
 fi

-%files -f rpm.lang
+%files -f _build/rpm.lang
 %license COPYING
 %doc CREDITS docs/manual/[a-z]*
+%doc %{_defaultdocdir}/rpm/CONTRIBUTING.md
+%doc %{_defaultdocdir}/rpm/COPYING
+%doc %{_defaultdocdir}/rpm/INSTALL
+%doc %{_defaultdocdir}/rpm/README

 %{_unitdir}/rpmdb-rebuild.service
 %{_unitdir}/rpmdb-migrate.service
@ -477,6 +492,7 @@ fi
 %{_bindir}/rpmkeys
 %{_bindir}/rpmquery
 %{_bindir}/rpmverify
+%{_bindir}/rpmsort

 %{_mandir}/man8/rpm.8*
 %{_mandir}/man8/rpmdb.8*
@ -484,16 +500,9 @@ fi
 %{_mandir}/man8/rpm2archive.8*
 %{_mandir}/man8/rpm2cpio.8*
 %{_mandir}/man8/rpm-misc.8*
+%{_mandir}/man8/rpmsort.8*
 %{_mandir}/man8/rpm-plugins.8*

-# XXX this places translated manuals to wrong package wrt eg rpmbuild
-%lang(fr) %{_mandir}/fr/man[18]/*.[18]*
-%lang(ko) %{_mandir}/ko/man[18]/*.[18]*
-%lang(ja) %{_mandir}/ja/man[18]/*.[18]*
-%lang(pl) %{_mandir}/pl/man[18]/*.[18]*
-%lang(ru) %{_mandir}/ru/man[18]/*.[18]*
-%lang(sk) %{_mandir}/sk/man[18]/*.[18]*
-
 %attr(0755, root, root) %dir %{rpmhome}
 %{rpmhome}/macros
 %{rpmhome}/macros.d
@ -532,9 +541,11 @@ fi
 %{_libdir}/rpm-plugins/systemd_inhibit.so
 %{_mandir}/man8/rpm-plugin-systemd-inhibit.8*

+%if %{with libimaevm}
 %files plugin-ima
 %{_libdir}/rpm-plugins/ima.so
 %{_mandir}/man8/rpm-plugin-ima.8*
+%endif

 %files plugin-fsverity
 %{_libdir}/rpm-plugins/fsverity.so
@ -586,7 +597,6 @@ fi
 %{rpmhome}/*deps*
 %{rpmhome}/*.prov
 %{rpmhome}/*.req
-%{rpmhome}/mkinstalldirs
 %{rpmhome}/fileattrs/*
 %{rpmhome}/find-debuginfo.sh
 %{rpmhome}/rpmuncompress
@ -615,9 +625,12 @@ fi

 %files apidocs
 %license COPYING
-%doc docs/librpm/html/*
+%doc %{_defaultdocdir}/rpm/API/

 %changelog
+* Thu May 04 2023 Florian Festi <ffesti@redhat.com> - 4.18.90-1
+- Update to 4.19 alpha
+
 * Tue Apr 25 2023 Miro Hrončok <mhroncok@redhat.com> - 4.18.1-3
 - Explicitly require rpm-sequoia >= 1.4.0 on runtime to avoid
  rpm: symbol lookup error: /lib64/librpmio.so.9: undefined symbol: _pgpVerifySignature2
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (rpm-4.18.1.tar.bz2) = 0ede2138b9b4c3b50d7e914cf82655507fcc207ba67804c749ea17560002976cb26b95801e9138a51589b60459494a991213a1131dbef5af2eca9b5050a4f29c
+SHA512 (rpm-4.18.90.tar.bz2) = 2d1a499fe053c5f3497b0ae4c133ef3b05b4b87e12ee5d349ad8c34dbfaebc20c1b3e6727143c152040ed1e132047bcf95afcbbe4a8cb2c4f91900b536d7821c