rpms / dnf

Clone
Source Code
GIT

Files

  1.   5b858133f2039fba92a38ad28b311c825eb63567
  2.   0002-DNS-key-verification-Fix-parsing-an-armored-PGP-key.patch
Blob Blame History Raw 
From 49feb2253d2376d154a5ff5bfb58ec65c2072b63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 14 Nov 2023 12:30:06 +0100
Subject: [PATCH 1/3] DNS key verification: Fix parsing an armored PGP key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A PGP armor message can contain any amount of headers. Up to Fedora 38
there was one:

  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: rpm-4.18.0-beta1

  mQINBGIC2cYBEADJye1aE0AR17qwj6wsHWlCQlcihmqkL8s4gbOk1IevBbH4iXJx
  [...]
  =CHKS
  -----END PGP PUBLIC KEY BLOCK-----

Since Fedora 39 there is none:

  -----BEGIN PGP PUBLIC KEY BLOCK-----

  mQINBGLykg8BEADURjKtgQpQNoluifXia+U3FuqGCTQ1w7iTqx1UvNhLX6tb9Qjy
  l/vjl1iXxucrd2JBnrT/21BdtaABhu2hPy7bpcGEkG8MDinAMZBzcyzHcS/JiGHZ
  [...]
  =CHKS
  -----END PGP PUBLIC KEY BLOCK-----

RpmImportedKeys._query_db_for_gpg_keys() assumed exactly one header.
As a result if gpgkey_dns_verification configuration option was true,
DNF reported that Fedora 39 keys was revoked because the key
misextratracted from RPM database did not match a key in DNS:

    # dnf-3 upgrade
    DNSSEC extension: Testing already imported keys for their validity.
    DNSSEC extension: GPG Key fedora-39-primary@fedoraproject.org has been revoked and should be removed immediately

This patch implements skipping all armor headers.

https://bugzilla.redhat.com/show_bug.cgi?id=2249380
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 dnf/dnssec.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/dnf/dnssec.py b/dnf/dnssec.py
index a559853d..ba5b80c7 100644
--- a/dnf/dnssec.py
+++ b/dnf/dnssec.py
@@ -275,7 +275,16 @@ class RpmImportedKeys:
             packager = dnf.rpm.getheader(pkg, 'packager')
             email = re.search('<(.*@.*)>', packager).group(1)
             description = dnf.rpm.getheader(pkg, 'description')
-            key_lines = description.split('\n')[3:-3]
+            # Extract Radix-64-encoded PGP key. Without armor headers and
+            # a checksum.
+            key_lines = []
+            in_headers = True
+            for line in description.split('\n')[0:-3]:
+                if in_headers:
+                    if re.match(r'\A\s*\Z', line, re.NOFLAG):
+                        in_headers = False
+                else:
+                    key_lines.append(line)
             key_str = ''.join(key_lines)
             return_list += [KeyInfo(email, key_str.encode('ascii'))]
 
-- 
2.42.0
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.