Skip to content

Commit

Permalink
DNS key verification: Fix parsing an armored PGP key
Browse files Browse the repository at this point in the history 
A PGP armor message can contain any amount of headers. Up to Fedora 38
there was one:

  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: rpm-4.18.0-beta1

  mQINBGIC2cYBEADJye1aE0AR17qwj6wsHWlCQlcihmqkL8s4gbOk1IevBbH4iXJx
  [...]
  =CHKS
  -----END PGP PUBLIC KEY BLOCK-----

Since Fedora 39 there is none:

  -----BEGIN PGP PUBLIC KEY BLOCK-----

  mQINBGLykg8BEADURjKtgQpQNoluifXia+U3FuqGCTQ1w7iTqx1UvNhLX6tb9Qjy
  l/vjl1iXxucrd2JBnrT/21BdtaABhu2hPy7bpcGEkG8MDinAMZBzcyzHcS/JiGHZ
  [...]
  =CHKS
  -----END PGP PUBLIC KEY BLOCK-----

RpmImportedKeys._query_db_for_gpg_keys() assumed exactly one header.
As a result if gpgkey_dns_verification configuration option was true,
DNF reported that Fedora 39 keys was revoked because the key
misextratracted from RPM database did not match a key in DNS:

    # dnf-3 upgrade
    DNSSEC extension: Testing already imported keys for their validity.
    DNSSEC extension: GPG Key [email protected] has been revoked and should be removed immediately

This patch implements skipping all armor headers.

https://bugzilla.redhat.com/show_bug.cgi?id=2249380
  • Loading branch information
@ppisar @jan-kolarik
ppisar authored and jan-kolarik committed Nov 15, 2023
1 parent 3f8a560 commit 49feb22
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion dnf/dnssec.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,16 @@ def _query_db_for_gpg_keys():
packager = dnf.rpm.getheader(pkg, 'packager')
email = re.search('<(.*@.*)>', packager).group(1)
description = dnf.rpm.getheader(pkg, 'description')
key_lines = description.split('\n')[3:-3]
# Extract Radix-64-encoded PGP key. Without armor headers and
# a checksum.
key_lines = []
in_headers = True
for line in description.split('\n')[0:-3]:
if in_headers:
if re.match(r'\A\s*\Z', line, re.NOFLAG):
in_headers = False
else:
key_lines.append(line)
key_str = ''.join(key_lines)
return_list += [KeyInfo(email, key_str.encode('ascii'))]

Expand Down

0 comments on commit 49feb22

Please sign in to comment.