These are not deprecated at all no matter what the header has been
saying for the past 15+ years, they're used by rpm itself all over
the place as rpmDefineMacro() serves a slightly different purpose
and there's no rpmUndefineMacro() anyway.
Lets make 'em into proper citizens and move them into rpm namespace,
and while at it, call the operations push and pop since that's much
closer to what actually happens.
Finally, add simple wrapper macros to keep external code compilable
while getting the non-namespaced stuff out of ABI.
Header signatures were the new hot almost exactly twenty years ago, we
haven't supported anything else in a very, very, very, very very long time.
Drop the useless argument to rpmReadSignature() and bury the last remaining
related constant into rpmlead.c which is the only place that "needs" it.
No functional changes.
the doc explicitely describe "args" as "signing parameters (or NULL for
defaults)"
This no more true since commit 6e9eab345a
As such, with rpm-4.13, some callers will segfault (eg: perl-RPM4's
testsuite)
Removed setting LC_ALL to "C" because since commit [1] the gpg program
gets password by yourself from terminal so there is no sense in
setting LC_ALL to "C" if the terminal settings is e. g. UTF-8. That was
only confusing gpg program and it was not able to properly get and
display non-ASCII characters.
[1] 0bce5fcf27
When file signatures are added to a package the signature digests are
replaced. Sometimes the resulting signature header has a different size.
To solve this, gpg reserved space is omitted. This forces the rpm to be
rewritten when file signatures are added.
Changelog:
-no longer effects delsign
The option to provide a password for signing an RPM package was
recently removed in favor of using the underlying mechanisms.
Requiring a user to enter a password for each file being signed,
however, is tedious. This patch adds support for prompting the
user for the password.
Dependency on ima-evm-utils version > "0.9"
Changelog:
- update get_fskpass() based on Dmitry's comments
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
This patch modifies rpmSign to include file signatures in the header.
Since the header is altered, the package digest and package+archive
digest need to be recalculated and updated in the signature header.
Defer resigning the header digests to replaceSignature().
Changelog:
- removed extraneous semicolon - Mimi
- Update signature header digests only if necessary - Mimi
- deallocate sigp before it's overriden - Fin
- fix dependency on ima - Fin
- replace utd parameter with a local variable - Mimi
- fix sigsize - Fin
- calculate MD5 digest with SHA1 - Fin
- removed unused buffer - Fin
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
This patch extends the rpmsign tool to sign package files. It defines a new
rpmsign option called "signfiles".
rpm --addsign [--signfiles] PACKAGE
Signfiles signs all the file digests included in the package and stores
the signatures in the package header. The file signing key, used to sign
the file digests, can be provided one the command line with --fskpath or
in a macro file with %_file_signing_key. After including file signatures,
the package is signed normally.
The package needs to be built with SHA-1 or SHA-2 digests before package
files are signed, this prerequisite is noted in rpmsign man page.
Changelog:
- throw argerror when --fskpath is used without --signfiles
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
This patch creates a subroutine for dumping the immutable region of
a header. It copies the header sections into a new header that can
be altered.
Changelog:
- deallocate old hdrp
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
This patch refactors copyFile so that it doesn't close sfdp and tfdp,
since copyFile didn't open those files. Also, the caller to copyFile
closes these files. This patch also adds descriptions of copyFile
parameters.
Changelog:
- removed call to manageFile() since copyFile() arguments are open files
Signed-off-by: Lubos Kardos <lkardos@redhat.com>
Remove rpm asking for passphrase and then passing this passphrase
to gpg via file descriptor (--passphrase-fd) but provide gpg with
access to unredirected stdin to get passphrase directly from user.
Remove also macro %__gpg_check_password_cmd because in this new signing
scheme has no sense. rpm doesn't handle passphrase in any way,
everything is done in gpg including checking of passphrase.
We did this modification because of changes in gpg behavior. Since
gpg-2.1 option "--passphrase-fd" doesn't work by default, only when
it is explicitly allowed in gpg.conf. (rhbz:#1228234)
- The way manageFile() is called, fmode can never be uninitialized
but lets make gcc happy by adding a default case to the switch...
- Additionally make fmode const because it is
- Our libraries are in reality so interdependent that its not even
possible to use them independently of others, so having them
all follow sort of independent versioning information just doesn't
make any sense and is a PITA everytime I need to touch the data.
- This causes librpmsign soname bump with no good reason so its
probably "evil" and all ... so sue me, its not as if anybody
is actually using this library outside rpm itself.
- This was caused by commit 90833a57c5 but
because of another problem fixed in previous commit it didn't exhibit.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- Fixes regression from commit c0aad81e9b.
- That commit added line "res = replaceSignature(...)" that sets variable
"res" to value 0. But error handling code following this line expects
this variable set to -1. So in case of error value 0 (success) was
returned but value -1 (failure) should have been returned.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- During building of a package a dummy tag is added to the signature
header. This tag reserves some space for gpg signatures. So during
signing of the package the gpg signatures can be put in this reserved
space and it is not necessary to rewrite the whole package to make some
space for gpg signatures.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- This change shorten signing time beacause it is not necessary to
write data that should be signed, into a temporary file and then pass
this file to gpg program.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
Digests are not signatures even if they reside in "signature" header,
and signing a package must not affect the digests. So recalculating
digests on signing is not just wasteful, but also conceptually plain
wrong.
Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
- We haven't removed or changed any interfaces in a way that would
require full soname bump, only a handful of new interfaces have
been added.
- There aren't actually any new interfaces in librpmbuild or librpmsign
but for sanity and consistency's sake they're all updated...
- This is stupid... only librpm and librpmio actually need the bump due
to ABI breakage, librpmbuild and librpmsign are unchanged and could
use just a revision bump. But just incrementing the revision (or age)
would set us on collision course with maintenance updates to 4.9.x.
Then again its not like you can actually use librpmbuild or librpmsign
without also linking to librpm(io) so from everything needs rebuilding
anyway. This all also pretty much makes the whole libtool library
versioning a bit moot. Bah.
- The error message is not very helpful but if pgpPrtPkts() fails
we dont have a whole lot clue in the caller why it failed, spitting
out at least *some* error is better than silently failing
(RhBug:748116, RhBug:719154)
- Never log anything from rpmLeadRead(), instead return an error message
the callers can log if they see fit
- Add a return value for the lead type (which is the only bit of
info from the lead we sometimes resort to using)
- Permit NULL pointers on all return values
- Eliminate rpmLeadCheck() and rpmLeadType() from the internal API,
these are now combined into rpmLeadRead().
- Fix up the callers: only (re)signing needs the actual lead,
signature verification only cares if its valid or not and
package reading only wants the type from the lead (annoying but...)
- Requiring callers to allocate a lead "buffer" for reading into
is just DUMB (greetings to self back in 2008, sigh). This avoids
having to deal with freeing the lead in case the read failed, and
allows getting rid of rpmLeadNew() completely.
- Previously any failure on replacing the original package with the
newly signed one would silently fail, causing rather confusing
behavior when eg attempting to (re)sign readable but not writable
packages.
- Re-adding the files that should've gotten moved (not removed) in
commit 9f2c1bd909
- Mild wtf ... probably user (not git) error though. Too bad the
broken state got pushed already :-/
Panu Matilainen