From 14aac7d27ea79feeae37106d2d3a570adecc50e9 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 27 Apr 2023 15:21:55 +0300
Subject: Fix file signatures getting loaded when not asked for

Our compound masks for disabling file info bits per operation never got
updated to include the two separate file signature types. This was
discovered by rpm-ostree on older rpm version crashing on an IMA signature
despite passing in RPMFI_FLAGS_ONLY_FILENAMES.

Add the file signatures to the most obvious masks, and add a simple test
as well.

Fixes: #2425
---
 include/rpm/rpmfiles.h |  2 ++
 tests/rpmpython.at     | 11 +++++++++++
 2 files changed, 13 insertions(+)

diff --git a/include/rpm/rpmfiles.h b/include/rpm/rpmfiles.h
index 29bca259e..ad9e269cc 100644
--- a/include/rpm/rpmfiles.h
+++ b/include/rpm/rpmfiles.h
@@ -160,6 +160,7 @@ typedef rpmFlags rpmfiFlags;
 #define RPMFI_FLAGS_ERASE \
     (RPMFI_NOFILECLASS | RPMFI_NOFILELANGS | \
      RPMFI_NOFILEMTIMES | RPMFI_NOFILERDEVS | \
+     RPMFI_NOFILESIGNATURES | RPMFI_NOVERITYSIGNATURES | \
      RPMFI_NOFILEVERIFYFLAGS)
 
 #define RPMFI_FLAGS_INSTALL \
@@ -179,6 +180,7 @@ typedef rpmFlags rpmfiFlags;
      RPMFI_NOFILESIZES | RPMFI_NOFILECAPS | RPMFI_NOFILELINKTOS | \
      RPMFI_NOFILEDIGESTS | RPMFI_NOFILEMTIMES | RPMFI_NOFILERDEVS | \
      RPMFI_NOFILEINODES | RPMFI_NOFILECOLORS | \
+     RPMFI_NOFILESIGNATURES | RPMFI_NOVERITYSIGNATURES | \
      RPMFI_NOFILEVERIFYFLAGS | RPMFI_NOFILEFLAGS)
 
 #define RPMFI_FLAGS_ONLY_FILENAMES \
diff --git a/tests/rpmpython.at b/tests/rpmpython.at
index 107d993d4..dea79724e 100644
--- a/tests/rpmpython.at
+++ b/tests/rpmpython.at
@@ -634,9 +634,20 @@ for p in ['imatest-1.0-1.fc34.noarch.rpm', 'capstest-1.0-1.noarch.rpm']:
      if sig:
         sig = sig.hex()
      myprint('%s: %s' % (f.name, sig))
+  files = rpm.files(h, flags = rpm.RPMFI_FLAGS_ONLY_FILENAMES)
+  for f in files:
+     sig = f.imasig
+     if sig:
+        sig = sig.hex()
+     myprint('%s: %s' % (f.name, sig))
 ],
 [/usr/share/example1: 030204a598255400483046022100e5117bdafa73baaeb1f1dc46ecaa46981a62d417745a33532572b63dc6d95d16022100c789107ac5b91e2d915e1df3c7b78414f6b3f50899d44c1de381d0e938dfc82b
 /usr/share/example2: 030204a598255400473045022100c10943795bff5d9c0db53dd4f8e4b845615fd08a2be295c30a80f5bdb4e6a41302203038840cc6abaab92acb56cb3e3ce520b17f22ff7444a8d5d0f703a44d5307a3
+/usr/share/example1: None
+/usr/share/example2: None
+/a/emptyCaps1: None
+/a/emptyCaps2: None
+/a/noCaps: None
 /a/emptyCaps1: None
 /a/emptyCaps2: None
 /a/noCaps: None
-- 
cgit v1.2.1