Extend key ID matching to expired keys

gpg accepts signatures with expired keys as long as the signature was made prior to key expiration. But it also changes the status-fd output format that we grep for the expected key ID. Make sure we look for the alternate EXPKEYSIG line in the output in that case to find the key ID.
Add gnupg as a buildreq if we'll need it during build
2026-06-16 02:45:56 +00:00 · 2024-04-12 09:08:10 -07:00 · 2024-04-11 16:10:02 -07:00 · 2024-04-11 12:37:09 -07:00 · 2024-04-11 12:22:59 -07:00 · 2024-04-11 12:22:59 -07:00
6 changed files with 24 additions and 7 deletions
@@ -289,7 +289,6 @@ LibIcal, libical-dev
 LibKEduVocDocument, libkeduvocdocument-dev
 LibKWorkspace, plasma-workspace-dev
 LibKompareDiff2, libkomparediff2-dev
-LibLZMA, xz-dev
 LibNotificationManager, plasma-workspace-dev
 LibObs, obs-studio-dev
 LibTaskManager, plasma-workspace-dev
@@ -115,12 +115,15 @@ class Config(object):
        self.old_keyid = None
        self.profile_payload = None
        self.signature = None
+        self.signature_macro = None
+        self.pkey_macro = None
        self.yum_conf = None
        self.failed_pattern_dir = None
        self.alias = None
        self.failed_commands = {}
        self.ignored_commands = {}
        self.gems = {}
+        self.keyid_blocklist = {}
        self.license_hashes = {}
        self.license_translations = {}
        self.license_blacklist = {}
@@ -603,6 +606,7 @@ class Config(object):
        read_pattern_conf("license_blacklist", self.license_blacklist, list_format=True, path=path)
        read_pattern_conf("qt_modules", self.qt_modules, path=path)
        read_pattern_conf("cmake_modules", self.cmake_modules, path=path)
+        read_pattern_conf("keyid_blocklist", self.keyid_blocklist, list_format=True, path=path)

    def parse_existing_spec(self, name):
        """Determine the old version, old patch list, old keyid, and cves from old spec file."""
@@ -76,7 +76,6 @@
 -lkrb5, krb5-dev
 -lldap, openldap-dev
 -lldb, ldb-dev
-llzma, xz-dev
 -llzo, lzo-dev
 -lmagic, file-dev
 -lmenu, ncurses-dev
@@ -512,7 +511,6 @@ LIBGCRYPT - version >= 1.5.0, libgcrypt-dev
 LIBGD, libgd-dev
 LIBICAL, libical-dev
 LIBKONQ, kde-baseapps-dev
-LIBLZMA, xz-dev
 LIBNOTIFY, libnotify-dev
 LIBPCREVERSION, pcre-dev
 LIBRSVG, librsvg-dev
@@ -534,7 +532,6 @@ LibExiv2, pkgconfig(exiv2)
 LibKEduVocDocument, libkeduvocdocument-dev
 LibKWorkspace, plasma-workspace-dev
 LibKrb5, krb5-dev
-LibLZMA, xz-dev
 LibR, R-dev
 LibSSH, libssh-dev
 LibXml2, libxml2-dev
@@ -1100,7 +1097,6 @@ libhandy-0.0, libhandy-dev
 libiberty.h, binutils-dev
 libkmod.h, kmod-dev
 libksba, libksba-dev
-liblzma, xz-dev
 libmnl/libmnl.h, libmnl-dev
 libmpfr, mpfr-dev
 libmspack >= 0.0.20040308alpha (via pkg-config), libmspack-dev
@@ -1161,8 +1157,6 @@ lxqt-build-tools, lxqt-build-tools
 lxqt-globalkeys, lxqt-globalkeys-dev
 lxqt-globalkeys-ui, lxqt-globalkeys-dev
 lz4.h, lz4-dev
-lzma, xz-dev
-lzma.h, xz-dev
 lzo/lzoconf.h, lzo-dev
 magic, file-dev
 magic.h, file-dev
@@ -0,0 +1 @@
+59FCF207FEA7F445
@@ -483,6 +483,10 @@ class GPGVerifier(Verifier):
            return None
        # valid signature exists at package_sign_path, operate on it now
        keyid = get_keyid(self.package_sign_path)
+        if keyid in self.config.keyid_blocklist:
+            self.print_result(False, err_msg='KNOWNBADACTOR: {}'.format(keyid))
+            self.quit()
+
        # default location first
        pubkey_loc = self.pubkey_path.format(keyid)
        cache_key = os.path.join(KEY_CACHE_DIR, pubkey_loc)
@@ -159,8 +159,17 @@ class Specfile(object):

        # if package is verified, include the signature in the source tarball
        if self.keyid and self.config.signature:
+            # We'll need gnupg to verify the signature. Need to add it here so it's ready before write_buildreq
+            self.requirements.add_buildreq("gnupg")
+
            count += 1
            self._write_strip(f"Source{count}  : {self.config.signature}")
+            self.config.signature_macro = f"%{{SOURCE{count}}}"
+
+            # Also include the public key in the source tarball.
+            count += 1
+            self._write_strip(f"Source{count}  : {self.keyid}.pkey")
+            self.config.pkey_macro = f"%{{SOURCE{count}}}"

        for source in self.config.extra_sources:
            count += 1
@@ -430,6 +439,12 @@ class Specfile(object):
    def write_prep(self):
        """Write prep section to spec file."""
        self._write_strip("%prep")
+        if self.keyid and self.config.signature:
+            self._write_strip("mkdir .gnupg")
+            self._write_strip("chmod 700 .gnupg")
+            self._write_strip(f"gpg --homedir .gnupg --import {self.config.pkey_macro}")
+            self._write_strip(f"gpg --homedir .gnupg --status-fd 1 --verify {self.config.signature_macro} %{{SOURCE0}} > gpg.status")
+            self._write_strip(f"grep -E '^\\[GNUPG:\\] (GOODSIG|EXPKEYSIG) {self.keyid}' gpg.status")
        self.write_prep_prepend()
        prefix = self.content.prefixes[self.url]
        if self.config.default_pattern == 'R':
Author	SHA1	Message	Date
Brett T. Warden	81e1eebe28	Extend key ID matching to expired keys gpg accepts signatures with expired keys as long as the signature was made prior to key expiration. But it also changes the status-fd output format that we grep for the expected key ID. Make sure we look for the alternate EXPKEYSIG line in the output in that case to find the key ID.	2024-04-12 09:08:10 -07:00
Brett T. Warden	658bd0de10	Add gnupg as a buildreq if we'll need it during build	2024-04-11 16:10:02 -07:00
Brett T. Warden	b628caf931	Add Config fields for pkey and signature macros	2024-04-11 12:37:09 -07:00
Brett T. Warden	8142032e7c	Fix escaping to satisfy flake	2024-04-11 12:22:59 -07:00
Brett T. Warden	5a302d6c91	Check GPG package signatures during build Add gpg commands to the specfile so we verify the package signature during every rpmbuild. Also ensure that the signature key ID matches what we expect.	2024-04-11 12:22:59 -07:00
William Douglas	f56f1fa18d	Don't autodetect xz build requirements Signed-off-by: William Douglas <william.douglas@intel.com>	2024-03-29 15:10:55 -07:00
Brett T. Warden	0c408e7089	Yell louder about known bad signing keys	2024-03-29 11:43:38 -07:00
Brett T. Warden	5471f10f61	Implement blocklist for signing key IDs Implement a blocklist, keyid_blocklist. If a keyid (without leading 0x) in this file matches the signing key for a release, terminate autospec with an error. This is intended as a mechanism to block building releases signed with a known compromised key.	2024-03-29 11:43:38 -07:00