[packages/libhif] - adjust not to use PGP APIs removed in rpm 4.19 (but any users should be ported to libdnf anyway);
qboosh
qboosh at pld-linux.org
Sun Mar 2 18:36:46 CET 2025
commit a3208f69081b7048fd49af6404efbddcb0453c31
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Sun Mar 2 18:14:41 2025 +0100
- adjust not to use PGP APIs removed in rpm 4.19 (but any users should be ported to libdnf anyway); release 4
libhif-rpm4.19.patch | 203 +++++++++++++++++++++++++++++++++++++++++++++++++++
libhif.spec | 9 ++-
2 files changed, 210 insertions(+), 2 deletions(-)
---
diff --git a/libhif.spec b/libhif.spec
index 4bff378..65e2537 100644
--- a/libhif.spec
+++ b/libhif.spec
@@ -6,12 +6,13 @@ Summary: Simple package library built on top of hawkey and librepo
Summary(pl.UTF-8): Prosta biblioteka obsługi pakietów oparta na bibliotekach hawkey i librepo
Name: libhif
Version: 0.2.3
-Release: 3
+Release: 4
License: LGPL v2.1+
Group: Libraries
Source0: https://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
# Source0-md5: 3d97ff8d601a5f67184d6aa11a9296d2
Patch0: %{name}-rpm5.patch
+Patch1: %{name}-rpm4.19.patch
URL: https://github.com/hughsie/libhif
BuildRequires: glib2-devel >= 1:2.36.0
BuildRequires: gobject-introspection-devel >= 0.9.8
@@ -79,7 +80,11 @@ Dokumentacja API biblioteki libhif.
%prep
%setup -q
-%{?with_rpm5:%patch -P 0 -p1}
+%if %{with rpm5}
+%patch -P 0 -p1
+%else
+%patch -P 1 -p1
+%endif
%build
export CFLAGS="%{rpmcflags} -D_GNU_SOURCE"
diff --git a/libhif-rpm4.19.patch b/libhif-rpm4.19.patch
new file mode 100644
index 0000000..3d1990e
--- /dev/null
+++ b/libhif-rpm4.19.patch
@@ -0,0 +1,203 @@
+--- libhif-0.2.3/libhif/hif-keyring.c.orig 2016-06-30 10:43:15.000000000 +0200
++++ libhif-0.2.3/libhif/hif-keyring.c 2025-03-02 12:50:38.480738612 +0100
+@@ -35,7 +35,9 @@
+
+ #include <stdlib.h>
+ #include <glib.h>
++#include <rpm/rpmcli.h>
+ #include <rpm/rpmlib.h>
++#include <rpm/rpmlog.h>
+ #include <rpm/rpmts.h>
+
+ #include "hif-cleanup.h"
+@@ -63,7 +65,6 @@ hif_keyring_add_public_key (rpmKeyring k
+ gint rc;
+ gsize len;
+ pgpArmor armor;
+- pgpDig dig = NULL;
+ rpmPubkey pubkey = NULL;
+ uint8_t *pkt = NULL;
+ _cleanup_free_ gchar *data = NULL;
+@@ -114,15 +115,6 @@ hif_keyring_add_public_key (rpmKeyring k
+ goto out;
+ }
+
+- /* does the key exist in the keyring */
+- dig = rpmPubkeyDig (pubkey);
+- rc = rpmKeyringLookup (keyring, dig);
+- if (rc == RPMRC_OK) {
+- ret = TRUE;
+- g_debug ("%s is already present", filename);
+- goto out;
+- }
+-
+ /* add to rpmdb automatically, without a prompt */
+ rc = rpmKeyringAddKey (keyring, pubkey);
+ if (rc == 1) {
+@@ -148,8 +140,6 @@ out:
+ free (pkt); /* yes, free() */
+ if (pubkey != NULL)
+ rpmPubkeyFree (pubkey);
+- if (dig != NULL)
+- pgpFreeDig (dig);
+ return ret;
+ }
+
+@@ -187,6 +177,26 @@ hif_keyring_add_public_keys (rpmKeyring
+ return TRUE;
+ }
+
++static int
++rpmcliverifysignatures_log_handler_cb(rpmlogRec rec, rpmlogCallbackData data)
++{
++ GString **string =(GString **) data;
++
++ /* create string if required */
++ if (*string == NULL)
++ *string = g_string_new("");
++
++ /* if text already exists, join them */
++ if ((*string)->len > 0)
++ g_string_append(*string, ": ");
++ g_string_append(*string, rpmlogRecMessage(rec));
++
++ /* remove the trailing /n which rpm does */
++ if ((*string)->len > 0)
++ g_string_truncate(*string,(*string)->len - 1);
++ return 0;
++}
++
+ /**
+ * hif_keyring_check_untrusted_file:
+ */
+@@ -198,12 +208,13 @@ hif_keyring_check_untrusted_file (rpmKey
+ FD_t fd = NULL;
+ gboolean ret = FALSE;
+ Header hdr = NULL;
+- Header header = NULL;
+- pgpDig dig = NULL;
+ rpmRC rc;
+- rpmtd td = NULL;
+ rpmts ts = NULL;
+
++ char *path = g_strdup(filename);
++ char *path_array[2] = {path, NULL};
++ g_autoptr(GString) rpm_error = NULL;
++
+ /* open the file for reading */
+ fd = Fopen (filename, "r.fdio");
+ if (fd == NULL) {
+@@ -226,89 +237,53 @@ hif_keyring_check_untrusted_file (rpmKey
+
+ /* we don't want to abort on missing keys */
+ ts = rpmtsCreate ();
+- rpmtsSetVSFlags (ts, _RPMVSF_NOSIGNATURES);
+
+- /* read in the file */
+- rc = rpmReadPackageFile (ts, fd, filename, &hdr);
+- if (rc != RPMRC_OK) {
+- /* we only return SHA1 and MD5 failures, as we're not
+- * checking signatures at this stage */
+- g_set_error (error,
+- HIF_ERROR,
+- HIF_ERROR_FILE_INVALID,
+- "%s could not be verified",
+- filename);
++ if (rpmtsSetKeyring(ts, keyring) < 0) {
++ g_set_error_literal (error, HIF_ERROR, HIF_ERROR_INTERNAL_ERROR, "failed to set keyring");
+ goto out;
+ }
++ rpmtsSetVfyLevel(ts, RPMSIG_SIGNATURE_TYPE);
++ rpmlogSetCallback(rpmcliverifysignatures_log_handler_cb, &rpm_error);
+
+- /* convert and upscale */
+- headerConvert (hdr, HEADERCONV_RETROFIT_V3);
+-
+- /* get RSA key */
+- td = rpmtdNew ();
+- rc = headerGet (hdr,
+- RPMTAG_RSAHEADER,
+- td,
+- HEADERGET_MINMEM);
+- if (rc != 1) {
+- /* try to read DSA key as a fallback */
+- rc = headerGet (hdr,
+- RPMTAG_DSAHEADER,
+- td,
+- HEADERGET_MINMEM);
+- }
+-
+- /* the package has no signing key */
+- if (rc != 1) {
+- ret = FALSE;
+- g_set_error (error,
+- HIF_ERROR,
+- HIF_ERROR_GPG_SIGNATURE_INVALID,
+- "package %s is not signed",
+- filename);
++ // rpm doesn't provide any better API call than rpmcliVerifySignatures (which is for CLI):
++ // - use path_array as input argument
++ // - gather logs via callback because we don't want to print anything if check is successful
++ if (rpmcliVerifySignatures(ts, (char * const*) path_array)) {
++ g_set_error(error,
++ HIF_ERROR,
++ HIF_ERROR_GPG_SIGNATURE_INVALID,
++ "%s could not be verified.\n%s",
++ filename,
++ (rpm_error ? rpm_error->str : "UNKNOWN ERROR"));
+ goto out;
+ }
+
+- /* make it into a digest */
+- dig = pgpNewDig ();
+- rc = pgpPrtPkts (td->data, td->count, dig, 0);
+- if (rc != 0) {
++ /* read in the file */
++ rc = rpmReadPackageFile (ts, fd, filename, &hdr);
++ if (rc != RPMRC_OK) {
++ /* we only return SHA1 and MD5 failures, as we're not
++ * checking signatures at this stage */
+ g_set_error (error,
+ HIF_ERROR,
+ HIF_ERROR_FILE_INVALID,
+- "failed to parse digest header for %s",
++ "%s could not be verified",
+ filename);
+ goto out;
+ }
+
+- /* does the key exist in the keyring */
+- rc = rpmKeyringLookup (keyring, dig);
+- if (rc != RPMRC_OK) {
+- g_set_error (error,
+- HIF_ERROR,
+- HIF_ERROR_GPG_SIGNATURE_INVALID,
+- "failed to lookup digest in keyring for %s",
+- filename);
+- goto out;
+- }
+-
+ /* the package is signed by a key we trust */
+ g_debug ("%s has been verified as trusted", filename);
+ ret = TRUE;
+ out:
+- if (dig != NULL)
+- pgpFreeDig (dig);
+- if (td != NULL) {
+- rpmtdFreeData (td);
+- rpmtdFree (td);
+- }
++ rpmlogSetCallback(NULL, NULL);
++
++ if (path != NULL)
++ g_free(path);
+ if (ts != NULL)
+ rpmtsFree (ts);
+ if (hdr != NULL)
+ headerFree (hdr);
+ if (fd != NULL)
+ Fclose (fd);
+- if (header != NULL)
+- headerFree (header);
+ return ret;
+ }
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/libhif.git/commitdiff/a3208f69081b7048fd49af6404efbddcb0453c31
More information about the pld-cvs-commit
mailing list