ddelabru left a comment (rpm-software-management/rpm#3469)
> The root cause is RH signing server placing file signatures outside the
> immutable region of the signature header
The signing server produces raw IMA file signatures. Release engineers then
insert these signatures into the RPM header on the client end, most likely
using the [rpm-head-signing](https://github.com/fedora-iot/rpm-head-signing)
Python package.
I am trying to pinpoint the source of this incorrect behavior in
rpm-head-signing. My understanding of the header structure is somewhat limited,
but this is what I have been able to glean so far: rpm-head-signing calls rpm's
`headerPut()` function via a C extension to perform the actual header signature
and IMA signature insertion; for header signatures it applies the
`HEADERPUT_DEFAULT` flag, but for IMA file signatures it uses
`HEADERPUT_APPEND` instead. My understanding of the `headerPut()` function from
a cursory reading of its implementation is that when the `HEADERPUT_APPEND`
flag is passed, it should append to an existing tag of the same tag number,
within its existing region, if that tag is already present in the header. I
think this in itself is correct behavior for inserting the IMA signatures, but
I am looking for clues in the surrounding header-manipulation code of
`rpm-head-signing` to pinpoint what is causing these tags to be written outside
the immutable region.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3469#issuecomment-2706997817
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3469/2706997...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
