diff options
author | Panu Matilainen <pmatilai@redhat.com> | 2022-11-24 10:51:04 +0200 |
---|---|---|
committer | Michal Domonkos <mdomonko@redhat.com> | 2023-03-13 15:32:25 +0100 |
commit | 35d14c0e250a84536b14233fd37cc573ca46670f (patch) | |
tree | 832e74dca146b458b02f806dd3540ca6fcf944cf | |
parent | 8454e982e1f754ff3d6ceaee375e70bddead40ac (diff) | |
download | rpm-35d14c0e250a84536b14233fd37cc573ca46670f.tar.gz |
Add some basic tests for OpenPGP v3 signatures
Wider exposure of the Sequoia backend taught us that OpenPGP v3 signatures
are surprisingly common still in the rpm-ecosystem, and in fact more
common than v4 signatures. It's a bit surprising, considering that gnupg
has defaulted to creating v4 signatures since 1.4.8 from late 2007 gnupg2
refuses to create them at all.
For future reference, the sample package here was signed with
rpmsign --addsign --rpmv3 \
--digest-algo=sha256 \
--key-id=rsa@rpm.org \
--define "__gpg /usr/bin/gpg1" \
--define "_gpg_sign_cmd_extra_args --force-v3-sigs" \
/tmp/hello-2.0-1.x86_64.rpm
The two defines are the key to creating OpenPGP v3 signatures in 2022,
the. Note that the --rpmv3 switch has absolutely nothing to do with
OpenPGP v3 signatures, it's there to force *rpm* v3 signatures on the
package similar to the other signed sample package.
Fixes: #2276
(backported from commit 9daaf3d2ffa1a8b625e9a2657eac9b7ab3da3d8f)
-rw-r--r-- | tests/Makefile.am | 1 | ||||
-rw-r--r-- | tests/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm | bin | 0 -> 9315 bytes | |||
-rw-r--r-- | tests/rpmsigdig.at | 69 |
3 files changed, 68 insertions, 2 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 2914bbe44..0d550ee92 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -112,6 +112,7 @@ EXTRA_DIST += data/RPMS/hello-1.0-1.ppc64.rpm EXTRA_DIST += data/RPMS/hello-2.0-1.i686.rpm EXTRA_DIST += data/RPMS/hello-2.0-1.x86_64.rpm EXTRA_DIST += data/RPMS/hello-2.0-1.x86_64-signed.rpm +EXTRA_DIST += data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm EXTRA_DIST += data/RPMS/hlinktest-1.0-1.noarch.rpm EXTRA_DIST += data/RPMS/imatest-1.0-1.fc34.noarch.rpm EXTRA_DIST += data/RPMS/hello-2.0-1.x86_64-corrupted.rpm diff --git a/tests/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm b/tests/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm Binary files differnew file mode 100644 index 000000000..1b1024477 --- /dev/null +++ b/tests/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at index a9238d9b7..da8321091 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at @@ -467,14 +467,26 @@ AT_KEYWORDS([rpmkeys digest signature]) AT_CHECK([ RPMDB_INIT +runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm; echo $? runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo $? runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub; echo $? +runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm; echo $? runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo $? +runroot rpmkeys -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm; echo $? runroot rpmkeys -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo $? +runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm; echo $? runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo $? ], [0], -[/data/RPMS/hello-2.0-1.x86_64-signed.rpm: +[/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm: + Header V3 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY + Header SHA256 digest: OK + Header SHA1 digest: OK + Payload SHA256 digest: OK + V3 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY + MD5 digest: OK +1 +/data/RPMS/hello-2.0-1.x86_64-signed.rpm: Header V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK @@ -483,6 +495,14 @@ runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo MD5 digest: OK 1 0 +/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm: + Header V3 RSA/SHA256 Signature, key ID 1964c5fc: OK + Header SHA256 digest: OK + Header SHA1 digest: OK + Payload SHA256 digest: OK + V3 RSA/SHA256 Signature, key ID 1964c5fc: OK + MD5 digest: OK +0 /data/RPMS/hello-2.0-1.x86_64-signed.rpm: Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK Header SHA256 digest: OK @@ -491,10 +511,20 @@ runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo V4 RSA/SHA256 Signature, key ID 1964c5fc: OK MD5 digest: OK 0 +/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm: + Header V3 RSA/SHA256 Signature, key ID 1964c5fc: OK + V3 RSA/SHA256 Signature, key ID 1964c5fc: OK +0 /data/RPMS/hello-2.0-1.x86_64-signed.rpm: Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK V4 RSA/SHA256 Signature, key ID 1964c5fc: OK 0 +/data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm: + Header SHA256 digest: OK + Header SHA1 digest: OK + Payload SHA256 digest: OK + MD5 digest: OK +0 /data/RPMS/hello-2.0-1.x86_64-signed.rpm: Header SHA256 digest: OK Header SHA1 digest: OK @@ -539,9 +569,44 @@ runroot rpmkeys -Kv /tmp/${pkg} ], []) AT_CLEANUP + +# ------------------------------ +# Test pre-built corrupted package verification (corrupted header) +AT_SETUP([rpmkeys -Kv <corrupted signed> 2.1]) +AT_KEYWORDS([rpmkeys digest signature]) +AT_CHECK([ +RPMDB_INIT + +pkg="hello-2.0-1.x86_64-v3-signed.rpm" +cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg} +dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \ + conv=notrunc bs=1 seek=5555 count=6 2> /dev/null + +runroot rpmkeys -Kv /tmp/${pkg} +runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub +runroot rpmkeys -Kv /tmp/${pkg} +], +[1], +[/tmp/hello-2.0-1.x86_64-v3-signed.rpm: + Header V3 RSA/SHA256 Signature, key ID 1964c5fc: BAD + Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 63a0502eb7f5eaa07d43fe8fa805665b86e58d53db38ccf625bbbf01e3cd67ab) + Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != fe227d93273221c252c6bb45e67a8489fcb48f88) + Payload SHA256 digest: OK + V3 RSA/SHA256 Signature, key ID 1964c5fc: BAD + MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != b2981e215576c2142676d9b1e0902075) +/tmp/hello-2.0-1.x86_64-v3-signed.rpm: + Header V3 RSA/SHA256 Signature, key ID 1964c5fc: BAD + Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 63a0502eb7f5eaa07d43fe8fa805665b86e58d53db38ccf625bbbf01e3cd67ab) + Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != fe227d93273221c252c6bb45e67a8489fcb48f88) + Payload SHA256 digest: OK + V3 RSA/SHA256 Signature, key ID 1964c5fc: BAD + MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != b2981e215576c2142676d9b1e0902075) +], +[]) +AT_CLEANUP # ------------------------------ # Test pre-built corrupted package verification (corrupted header) -AT_SETUP([rpmkeys -Kv <corrupted signed> 2]) +AT_SETUP([rpmkeys -Kv <corrupted signed> 2.2]) AT_KEYWORDS([rpmkeys digest signature]) AT_CHECK([ RPMDB_INIT |