Fix possible package corruption on --delsign/resign/addsign #3479
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RH signing server apparently does IMA signing after the normal signing has already been done, and in doing so places the IMA signatures outside the immutable region. This causes us to do all manner of wrong things, corrupting the package on --delsign and whatnot. rpmsign of course wont create such a signature by itself, so we need a pre-built "crafted" package for the purpose with a specially built rpmsign library: move the includeFileSignatures() call in rpmSign() in sign/rpmgensig.cc right after the headerReload() call, and filesign the vanilla tests/data/RPMS/hello-2.0-1.x86_64.rpm package with the --fskpath=/data/keys/privkey.pem like in the ima test above this.
Make sure we don't overrun the original signature header when adjusting reserved size. Fixes a brainfart introduced in commit be950ea: the count reservation size is relative to the size of the new header, obviously. Another crucial difference is that when considering whether we can transplant the new signature header in the originals place we need to consider the real on-disk signature, not the size of its immutable region. The immutable region can be much much smaller than the physical header if eg the IMA signatures are misplaced outside it, making our calculations way off. Fixes: rpm-software-management#3469
Normally IMA signatures should only be deleted with an explicit rpmsign --delfilesign, but in case the are misplaced outside the immutable region they get thrown out by rpmsign. This is expected and desired behavior, it's simply the wrong place to place to put them and not something we want to encourage in any way.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details in commit messages, the short story is that we could corrupt packages on signing operations due to miscalculations when unexpected stuff happened. That unexpected stuff in this case was misplaced IMA signatures but it's not specific to those.
Also add explicit tests for --delsign/--delfilesign behavior wrt IMA signatures.
Fixes: #3469