Skip to content

Commit

Permalink
Add tests for IMA signature deletion too
Browse files Browse the repository at this point in the history 
Normally IMA signatures should only be deleted with an explicit
rpmsign --delfilesign, but in case the are misplaced outside the
immutable region they get thrown out by rpmsign. This is expected
and desired behavior, it's simply the wrong place to place to put
them and not something we want to encourage in any way.
  • Loading branch information
@pmatilai @ffesti
pmatilai authored and ffesti committed Dec 3, 2024
1 parent 1847fd6 commit 6232bd3
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions tests/rpmsigdig.at
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1842,6 +1842,28 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" /data/RPMS/imatest-1.0-1.fc34.
/usr/share/example2:030204a598255400473045022100c10943795bff5d9c0db53dd4f8e4b845615fd08a2be295c30a80f5bdb4e6a41302203038840cc6abaab92acb56cb3e3ce520b17f22ff7444a8d5d0f703a44d5307a3
],
[ignore])

RPMTEST_CHECK([[
cp /data/RPMS/imatest-1.0-1.fc34.noarch.rpm .
rpmsign --delsign imatest-1.0-1.fc34.noarch.rpm
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" imatest-1.0-1.fc34.noarch.rpm
]],
[0],
[/usr/share/example1:030204a598255400483046022100e5117bdafa73baaeb1f1dc46ecaa46981a62d417745a33532572b63dc6d95d16022100c789107ac5b91e2d915e1df3c7b78414f6b3f50899d44c1de381d0e938dfc82b
/usr/share/example2:030204a598255400473045022100c10943795bff5d9c0db53dd4f8e4b845615fd08a2be295c30a80f5bdb4e6a41302203038840cc6abaab92acb56cb3e3ce520b17f22ff7444a8d5d0f703a44d5307a3
],
[])

RPMTEST_CHECK([[
cp /data/RPMS/imatest-1.0-1.fc34.noarch.rpm .
rpmsign --delfilesign imatest-1.0-1.fc34.noarch.rpm
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" imatest-1.0-1.fc34.noarch.rpm
]],
[0],
[/usr/share/example1:(none)
/usr/share/example2:(none)
],
[])
RPMTEST_CLEANUP


Expand All @@ -1862,4 +1884,18 @@ rpm -qp hello-2.0-1.x86_64-badima.rpm
[hello-2.0-1.x86_64
],
[])

# NORMALLY --delsign shouldn't delete file signatures, but when they are
# misplaced outside the immutable region, this is EXPECTED behavior.
RPMTEST_CHECK([[
rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm
]],
[0],
[/usr/bin/hello:(none)
/usr/share/doc/hello-2.0:(none)
/usr/share/doc/hello-2.0/COPYING:(none)
/usr/share/doc/hello-2.0/FAQ:(none)
/usr/share/doc/hello-2.0/README:(none)
],
[])
RPMTEST_CLEANUP

0 comments on commit 6232bd3

Please sign in to comment.