diff options
Diffstat (limited to 'meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch')
-rw-r--r-- | meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch | 332 |
1 files changed, 332 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch new file mode 100644 index 0000000000..d39ea7dacd --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch | |||
@@ -0,0 +1,332 @@ | |||
1 | From 07676ca03ad8afcf1ca95a2353c83fbb1d970b9b Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Thu, 30 Sep 2021 09:59:30 +0300 | ||
4 | Subject: [PATCH 3/3] Validate and require subkey binding signatures on PGP | ||
5 | public keys | ||
6 | |||
7 | All subkeys must be followed by a binding signature by the primary key | ||
8 | as per the OpenPGP RFC, enforce the presence and validity in the parser. | ||
9 | |||
10 | The implementation is as kludgey as they come to work around our | ||
11 | simple-minded parser structure without touching API, to maximise | ||
12 | backportability. Store all the raw packets internally as we decode them | ||
13 | to be able to access previous elements at will, needed to validate ordering | ||
14 | and access the actual data. Add testcases for manipulated keys whose | ||
15 | import previously would succeed. | ||
16 | |||
17 | Depends on the two previous commits: | ||
18 | 7b399fcb8f52566e6f3b4327197a85facd08db91 and | ||
19 | 236b802a4aa48711823a191d1b7f753c82a89ec5 | ||
20 | |||
21 | Fixes CVE-2021-3521. | ||
22 | |||
23 | Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9] | ||
24 | CVE:CVE-2021-3521 | ||
25 | |||
26 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
27 | --- | ||
28 | rpmio/rpmpgp.c | 100 ++++++++++++++++-- | ||
29 | tests/Makefile.am | 3 + | ||
30 | tests/data/keys/CVE-2021-3521-badbind.asc | 25 +++++ | ||
31 | .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++ | ||
32 | tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 +++++++ | ||
33 | tests/rpmsigdig.at | 28 +++++ | ||
34 | 6 files changed, 211 insertions(+), 7 deletions(-) | ||
35 | create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc | ||
36 | create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc | ||
37 | create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc | ||
38 | |||
39 | diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c | ||
40 | index 57d411d1e0..b12410d671 100644 | ||
41 | --- a/rpmio/rpmpgp.c | ||
42 | +++ b/rpmio/rpmpgp.c | ||
43 | @@ -1046,35 +1046,121 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag) | ||
44 | return digp; | ||
45 | } | ||
46 | |||
47 | +static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag) | ||
48 | +{ | ||
49 | + int rc = -1; | ||
50 | + if (pkt->tag == exptag) { | ||
51 | + uint8_t head[] = { | ||
52 | + 0x99, | ||
53 | + (pkt->blen >> 8), | ||
54 | + (pkt->blen ), | ||
55 | + }; | ||
56 | + | ||
57 | + rpmDigestUpdate(hash, head, 3); | ||
58 | + rpmDigestUpdate(hash, pkt->body, pkt->blen); | ||
59 | + rc = 0; | ||
60 | + } | ||
61 | + return rc; | ||
62 | +} | ||
63 | + | ||
64 | +static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig, | ||
65 | + const struct pgpPkt *all, int i) | ||
66 | +{ | ||
67 | + int rc = -1; | ||
68 | + DIGEST_CTX hash = NULL; | ||
69 | + | ||
70 | + switch (selfsig->sigtype) { | ||
71 | + case PGPSIGTYPE_SUBKEY_BINDING: | ||
72 | + hash = rpmDigestInit(selfsig->hash_algo, 0); | ||
73 | + if (hash) { | ||
74 | + rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY); | ||
75 | + if (!rc) | ||
76 | + rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY); | ||
77 | + } | ||
78 | + break; | ||
79 | + default: | ||
80 | + /* ignore types we can't handle */ | ||
81 | + rc = 0; | ||
82 | + break; | ||
83 | + } | ||
84 | + | ||
85 | + if (hash && rc == 0) | ||
86 | + rc = pgpVerifySignature(key, selfsig, hash); | ||
87 | + | ||
88 | + rpmDigestFinal(hash, NULL, NULL, 0); | ||
89 | + | ||
90 | + return rc; | ||
91 | +} | ||
92 | + | ||
93 | int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, | ||
94 | pgpDigParams * ret) | ||
95 | { | ||
96 | const uint8_t *p = pkts; | ||
97 | const uint8_t *pend = pkts + pktlen; | ||
98 | pgpDigParams digp = NULL; | ||
99 | - struct pgpPkt pkt; | ||
100 | + pgpDigParams selfsig = NULL; | ||
101 | + int i = 0; | ||
102 | + int alloced = 16; /* plenty for normal cases */ | ||
103 | + struct pgpPkt *all = xmalloc(alloced * sizeof(*all)); | ||
104 | int rc = -1; /* assume failure */ | ||
105 | + int expect = 0; | ||
106 | + int prevtag = 0; | ||
107 | |||
108 | while (p < pend) { | ||
109 | - if (decodePkt(p, (pend - p), &pkt)) | ||
110 | + struct pgpPkt *pkt = &all[i]; | ||
111 | + if (decodePkt(p, (pend - p), pkt)) | ||
112 | break; | ||
113 | |||
114 | if (digp == NULL) { | ||
115 | - if (pkttype && pkt.tag != pkttype) { | ||
116 | + if (pkttype && pkt->tag != pkttype) { | ||
117 | break; | ||
118 | } else { | ||
119 | - digp = pgpDigParamsNew(pkt.tag); | ||
120 | + digp = pgpDigParamsNew(pkt->tag); | ||
121 | } | ||
122 | } | ||
123 | |||
124 | - if (pgpPrtPkt(&pkt, digp)) | ||
125 | + if (expect) { | ||
126 | + if (pkt->tag != expect) | ||
127 | + break; | ||
128 | + selfsig = pgpDigParamsNew(pkt->tag); | ||
129 | + } | ||
130 | + | ||
131 | + if (pgpPrtPkt(pkt, selfsig ? selfsig : digp)) | ||
132 | break; | ||
133 | |||
134 | - p += (pkt.body - pkt.head) + pkt.blen; | ||
135 | + if (selfsig) { | ||
136 | + /* subkeys must be followed by binding signature */ | ||
137 | + if (prevtag == PGPTAG_PUBLIC_SUBKEY) { | ||
138 | + if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING) | ||
139 | + break; | ||
140 | + } | ||
141 | + | ||
142 | + int xx = pgpVerifySelf(digp, selfsig, all, i); | ||
143 | + | ||
144 | + selfsig = pgpDigParamsFree(selfsig); | ||
145 | + if (xx) | ||
146 | + break; | ||
147 | + expect = 0; | ||
148 | + } | ||
149 | + | ||
150 | + if (pkt->tag == PGPTAG_PUBLIC_SUBKEY) | ||
151 | + expect = PGPTAG_SIGNATURE; | ||
152 | + prevtag = pkt->tag; | ||
153 | + | ||
154 | + i++; | ||
155 | + p += (pkt->body - pkt->head) + pkt->blen; | ||
156 | + if (pkttype == PGPTAG_SIGNATURE) | ||
157 | + break; | ||
158 | + | ||
159 | + if (alloced <= i) { | ||
160 | + alloced *= 2; | ||
161 | + all = xrealloc(all, alloced * sizeof(*all)); | ||
162 | + } | ||
163 | } | ||
164 | |||
165 | - rc = (digp && (p == pend)) ? 0 : -1; | ||
166 | + rc = (digp && (p == pend) && expect == 0) ? 0 : -1; | ||
167 | |||
168 | + free(all); | ||
169 | if (ret && rc == 0) { | ||
170 | *ret = digp; | ||
171 | } else { | ||
172 | diff --git a/tests/Makefile.am b/tests/Makefile.am | ||
173 | index f742a9e1d2..328234278a 100644 | ||
174 | --- a/tests/Makefile.am | ||
175 | +++ b/tests/Makefile.am | ||
176 | @@ -107,6 +107,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec | ||
177 | EXTRA_DIST += data/SPECS/hello-cd.spec | ||
178 | EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub | ||
179 | EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret | ||
180 | +EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc | ||
181 | +EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc | ||
182 | +EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc | ||
183 | EXTRA_DIST += data/macros.testfile | ||
184 | EXTRA_DIST += data/macros.debug | ||
185 | EXTRA_DIST += data/SOURCES/foo.c | ||
186 | diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc | ||
187 | new file mode 100644 | ||
188 | index 0000000000..aea00f9d7a | ||
189 | --- /dev/null | ||
190 | +++ b/tests/data/keys/CVE-2021-3521-badbind.asc | ||
191 | @@ -0,0 +1,25 @@ | ||
192 | +-----BEGIN PGP PUBLIC KEY BLOCK----- | ||
193 | +Version: rpm-4.17.90 (NSS-3) | ||
194 | + | ||
195 | +mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g | ||
196 | +HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY | ||
197 | +91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 | ||
198 | +eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas | ||
199 | +7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ | ||
200 | +1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl | ||
201 | +c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK | ||
202 | +CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf | ||
203 | +Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB | ||
204 | +BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr | ||
205 | +XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX | ||
206 | +fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq | ||
207 | ++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN | ||
208 | +BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY | ||
209 | +zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz | ||
210 | +iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 | ||
211 | +Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c | ||
212 | +KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m | ||
213 | +L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= | ||
214 | +=WCfs | ||
215 | +-----END PGP PUBLIC KEY BLOCK----- | ||
216 | + | ||
217 | diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc | ||
218 | new file mode 100644 | ||
219 | index 0000000000..aea00f9d7a | ||
220 | --- /dev/null | ||
221 | +++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc | ||
222 | @@ -0,0 +1,25 @@ | ||
223 | +-----BEGIN PGP PUBLIC KEY BLOCK----- | ||
224 | +Version: rpm-4.17.90 (NSS-3) | ||
225 | + | ||
226 | +mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g | ||
227 | +HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY | ||
228 | +91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 | ||
229 | +eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas | ||
230 | +7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ | ||
231 | +1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl | ||
232 | +c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK | ||
233 | +CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf | ||
234 | +Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB | ||
235 | +BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr | ||
236 | +XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX | ||
237 | +fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq | ||
238 | ++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN | ||
239 | +BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY | ||
240 | +zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz | ||
241 | +iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 | ||
242 | +Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c | ||
243 | +KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m | ||
244 | +L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= | ||
245 | +=WCfs | ||
246 | +-----END PGP PUBLIC KEY BLOCK----- | ||
247 | + | ||
248 | diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc | ||
249 | new file mode 100644 | ||
250 | index 0000000000..3a2e7417f8 | ||
251 | --- /dev/null | ||
252 | +++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc | ||
253 | @@ -0,0 +1,37 @@ | ||
254 | +-----BEGIN PGP PUBLIC KEY BLOCK----- | ||
255 | +Version: rpm-4.17.90 (NSS-3) | ||
256 | + | ||
257 | +mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g | ||
258 | +HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY | ||
259 | +91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 | ||
260 | +eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas | ||
261 | +7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ | ||
262 | +1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl | ||
263 | +c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK | ||
264 | +CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf | ||
265 | +Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB | ||
266 | +BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr | ||
267 | +XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX | ||
268 | +fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq | ||
269 | ++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN | ||
270 | +BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY | ||
271 | +zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz | ||
272 | +iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 | ||
273 | +Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c | ||
274 | +KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m | ||
275 | +L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4 | ||
276 | +VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En | ||
277 | +uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ | ||
278 | +8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF | ||
279 | +v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/ | ||
280 | +qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB | ||
281 | +Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j | ||
282 | +mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos | ||
283 | +3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ | ||
284 | +zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX | ||
285 | +Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ | ||
286 | +gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ | ||
287 | +E4XX4jtDmdZPreZALsiB | ||
288 | +=rRop | ||
289 | +-----END PGP PUBLIC KEY BLOCK----- | ||
290 | + | ||
291 | diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at | ||
292 | index e1a3ab062a..705fc58705 100644 | ||
293 | --- a/tests/rpmsigdig.at | ||
294 | +++ b/tests/rpmsigdig.at | ||
295 | @@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918 | ||
296 | []) | ||
297 | AT_CLEANUP | ||
298 | |||
299 | +AT_SETUP([rpmkeys --import invalid keys]) | ||
300 | +AT_KEYWORDS([rpmkeys import]) | ||
301 | +RPMDB_INIT | ||
302 | + | ||
303 | +AT_CHECK([ | ||
304 | +runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc | ||
305 | +], | ||
306 | +[1], | ||
307 | +[], | ||
308 | +[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.] | ||
309 | +) | ||
310 | +AT_CHECK([ | ||
311 | +runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc | ||
312 | +], | ||
313 | +[1], | ||
314 | +[], | ||
315 | +[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.] | ||
316 | +) | ||
317 | + | ||
318 | +AT_CHECK([ | ||
319 | +runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc | ||
320 | +], | ||
321 | +[1], | ||
322 | +[], | ||
323 | +[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.] | ||
324 | +) | ||
325 | +AT_CLEANUP | ||
326 | + | ||
327 | # ------------------------------ | ||
328 | # Test pre-built package verification | ||
329 | AT_SETUP([rpmkeys -K <signed> 1]) | ||
330 | -- | ||
331 | 2.17.1 | ||
332 | |||