1 # rpmsigdig.at: rpm signature and digest tests
3 AT_BANNER([RPM signatures and digests])
5 # ------------------------------
6 # Test pre-built package verification
7 AT_SETUP([rpmkeys -Kv <unsigned> 1])
8 AT_KEYWORDS([rpmkeys digest])
14 runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64.rpm /data/RPMS/hello-1.0-1.i386.rpm
17 [/data/RPMS/hello-2.0-1.x86_64.rpm:
18 Header SHA1 digest: OK
19 Header SHA256 digest: OK
20 Payload SHA256 digest: OK
22 /data/RPMS/hello-1.0-1.i386.rpm:
23 Header SHA1 digest: OK
29 # ------------------------------
30 # Test corrupted package verification (corrupted signature)
31 AT_SETUP([rpmkeys -Kv <corrupted unsigned> 1])
32 AT_KEYWORDS([rpmkeys digest])
38 pkg="hello-2.0-1.x86_64.rpm"
39 cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
40 # conv=notrunc bs=1 seek=261 count=6 2> /dev/null
41 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
42 conv=notrunc bs=1 seek=333 count=4 2> /dev/null
43 runroot rpmkeys -Kv /tmp/${pkg}
46 [/tmp/hello-2.0-1.x86_64.rpm:
47 Header SHA1 digest: OK
48 Header SHA256 digest: OK
49 Payload SHA256 digest: OK
50 MD5 digest: BAD (Expected 007ca1d8b35cca02a1854ba301c5432e != 137ca1d8b35cca02a1854ba301c5432e)
54 # ------------------------------
55 # Test corrupted package verification (corrupted header)
56 AT_SETUP([rpmkeys -Kv <corrupted unsigned> 2])
57 AT_KEYWORDS([rpmkeys digest])
63 pkg="hello-2.0-1.x86_64.rpm"
64 cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
65 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
66 conv=notrunc bs=1 seek=5555 count=6 2> /dev/null
67 runroot rpmkeys -Kv /tmp/${pkg}
70 [/tmp/hello-2.0-1.x86_64.rpm:
71 Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != 4261b2c1eb861a4152c2239bce20bfbcaa8971ba)
72 Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 29fdfe92782fb0470a9a164a6c94af87d3b138c63b39d4c30e0223ca1202ba82)
73 Payload SHA256 digest: OK
74 MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != de65519eeb4ab52eb076ec054d42e34e)
79 # ------------------------------
80 # Test corrupted package verification (corrupted payload)
81 AT_SETUP([rpmkeys -Kv <corrupted unsigned> 3])
82 AT_KEYWORDS([rpmkeys digest])
88 pkg="hello-2.0-1.x86_64.rpm"
89 cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
90 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
91 conv=notrunc bs=1 seek=7777 count=6 2> /dev/null
92 runroot rpmkeys -Kv /tmp/${pkg}
95 [/tmp/hello-2.0-1.x86_64.rpm:
96 Header SHA1 digest: OK
97 Header SHA256 digest: OK
98 Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
99 MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
104 # ------------------------------
105 # Reproducably build and verify a package
106 AT_SETUP([rpmkeys -Kv <unsigned> 2])
107 AT_KEYWORDS([rpmkeys digest])
113 runroot rpmbuild -bb --quiet \
114 --define "%optflags -O2 -g" \
115 --define "%_target_platform noarch-linux" \
116 --define "%_binary_payload w.ufdio" \
117 --define "%_buildhost localhost" \
118 --define "%source_date_epoch_from_changelog 1" \
119 --define "%clamp_mtime_to_source_date_epoch 1" \
120 /data/SPECS/attrtest.spec
121 runroot rpmkeys -Kv /build/RPMS/noarch/attrtest-1.0-1.noarch.rpm
124 [/build/RPMS/noarch/attrtest-1.0-1.noarch.rpm:
125 Header SHA1 digest: OK
126 Header SHA256 digest: OK
127 Payload SHA256 digest: OK
133 # ------------------------------
134 # Import a public RSA key
135 AT_SETUP([rpmkeys --import rsa])
136 AT_KEYWORDS([rpmkeys import])
142 runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
143 runroot rpm -qi gpg-pubkey-1964c5fc-58e63918|grep -v Date|grep -v Version:
155 Build Host : localhost
156 Relocations : (not relocatable)
157 Packager : rpm.org RSA testkey <rsa@rpm.org>
158 Summary : gpg(rpm.org RSA testkey <rsa@rpm.org>)
160 -----BEGIN PGP PUBLIC KEY BLOCK-----
162 mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
163 HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
164 91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
165 eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
166 7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
167 1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
168 c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
169 CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
170 Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
171 BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
172 XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
173 fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
174 +mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
175 BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
176 zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
177 iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
178 Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
179 KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
180 L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAGJAR8EGAEIAAkFAljmORgCGwwA
181 CgkQQ0RZHhlkxfzwDQf/Y5on5o+s/xD3tDyRYa6SErfT44lEArdCD7Yi+cygJFox
182 3jyM8ovtJAkwRegwyxcaLN7zeG1p1Sk9ZAYWQEJT6qSU4Ppu+CVGHgxgnTcfUiu6
183 EZZQE6srvua53IMY1lT50M7vx0T5VicHFRWBFV2C/Mc32p7cEE6nn45nEZgUXQNl
184 ySEyvoRlsAJq6gFsfqucVz2vMJDTMVczUtq1CjvUqFbif8JVL36EoZCf1SeRw6d6
185 s1Kp3AA33Rjd+Uw87HJ4EIB75zMFQX2H0ggAVdYTQcqGXHP5MZK1jJrHfxJyMi3d
186 UNW2iqnN3BA7guhOv6OMiROF1+I7Q5nWT63mQC7IgQ==
188 -----END PGP PUBLIC KEY BLOCK-----
194 AT_SETUP([rpmkeys --import invalid keys])
195 AT_KEYWORDS([rpmkeys import])
199 runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
203 [error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
206 runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
210 [error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
214 runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
218 [error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
222 # ------------------------------
223 # Test pre-built package verification
224 AT_SETUP([rpmkeys -K <signed> 1])
225 AT_KEYWORDS([rpmkeys digest signature])
231 runroot rpmkeys -K /data/RPMS/hello-2.0-1.x86_64-signed.rpm
232 runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
233 runroot rpmkeys -K /data/RPMS/hello-2.0-1.x86_64-signed.rpm
236 [[/data/RPMS/hello-2.0-1.x86_64-signed.rpm: digests SIGNATURES NOT OK
237 /data/RPMS/hello-2.0-1.x86_64-signed.rpm: digests signatures OK
242 # ------------------------------
243 # Test pre-built package verification
244 AT_SETUP([rpmkeys -Kv <signed> 1])
245 AT_KEYWORDS([rpmkeys digest signature])
251 runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64-signed.rpm
252 runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
253 runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64-signed.rpm
254 runroot rpmkeys -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed.rpm
255 runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm
258 [/data/RPMS/hello-2.0-1.x86_64-signed.rpm:
259 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
260 Header SHA1 digest: OK
261 Header SHA256 digest: OK
262 Payload SHA256 digest: OK
263 V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
265 /data/RPMS/hello-2.0-1.x86_64-signed.rpm:
266 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
267 Header SHA1 digest: OK
268 Header SHA256 digest: OK
269 Payload SHA256 digest: OK
270 V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
272 /data/RPMS/hello-2.0-1.x86_64-signed.rpm:
273 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
274 V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
275 /data/RPMS/hello-2.0-1.x86_64-signed.rpm:
276 Header SHA1 digest: OK
277 Header SHA256 digest: OK
278 Payload SHA256 digest: OK
284 # ------------------------------
285 # Test pre-built corrupted package verification (corrupted signature)
286 AT_SETUP([rpmkeys -Kv <corrupted signed> 1])
287 AT_KEYWORDS([rpmkeys digest signature])
293 pkg="hello-2.0-1.x86_64-signed.rpm"
294 cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
295 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
296 conv=notrunc bs=1 seek=264 count=6 2> /dev/null
298 runroot rpmkeys -Kv /tmp/${pkg}
299 runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
300 runroot rpmkeys -Kv /tmp/${pkg}
303 [/tmp/hello-2.0-1.x86_64-signed.rpm:
304 Header signature: BAD (package tag 268: invalid OpenPGP signature)
305 Header SHA1 digest: OK
306 Header SHA256 digest: OK
307 Payload SHA256 digest: OK
308 V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
310 /tmp/hello-2.0-1.x86_64-signed.rpm:
311 Header signature: BAD (package tag 268: invalid OpenPGP signature)
312 Header SHA1 digest: OK
313 Header SHA256 digest: OK
314 Payload SHA256 digest: OK
315 V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
320 # ------------------------------
321 # Test pre-built corrupted package verification (corrupted header)
322 AT_SETUP([rpmkeys -Kv <corrupted signed> 2])
323 AT_KEYWORDS([rpmkeys digest signature])
329 pkg="hello-2.0-1.x86_64-signed.rpm"
330 cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
331 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
332 conv=notrunc bs=1 seek=5555 count=6 2> /dev/null
334 runroot rpmkeys -Kv /tmp/${pkg}
335 runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
336 runroot rpmkeys -Kv /tmp/${pkg}
339 [/tmp/hello-2.0-1.x86_64-signed.rpm:
340 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
341 Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != 4261b2c1eb861a4152c2239bce20bfbcaa8971ba)
342 Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 29fdfe92782fb0470a9a164a6c94af87d3b138c63b39d4c30e0223ca1202ba82)
343 Payload SHA256 digest: OK
344 V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
345 MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != de65519eeb4ab52eb076ec054d42e34e)
346 /tmp/hello-2.0-1.x86_64-signed.rpm:
347 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
348 Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != 4261b2c1eb861a4152c2239bce20bfbcaa8971ba)
349 Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 29fdfe92782fb0470a9a164a6c94af87d3b138c63b39d4c30e0223ca1202ba82)
350 Payload SHA256 digest: OK
351 V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
352 MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != de65519eeb4ab52eb076ec054d42e34e)
357 # ------------------------------
358 # Test pre-built corrupted package verification (corrupted payload)
359 AT_SETUP([rpmkeys -Kv <corrupted signed> 3])
360 AT_KEYWORDS([rpmkeys digest signature])
366 pkg="hello-2.0-1.x86_64-signed.rpm"
367 cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
368 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
369 conv=notrunc bs=1 seek=7777 count=6 2> /dev/null
371 runroot rpmkeys -Kv /tmp/${pkg}
372 runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
373 runroot rpmkeys -Kv /tmp/${pkg}
376 [/tmp/hello-2.0-1.x86_64-signed.rpm:
377 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
378 Header SHA1 digest: OK
379 Header SHA256 digest: OK
380 Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
381 V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
382 MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
383 /tmp/hello-2.0-1.x86_64-signed.rpm:
384 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
385 Header SHA1 digest: OK
386 Header SHA256 digest: OK
387 Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
388 V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
389 MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
394 # ------------------------------
396 AT_SETUP([rpmsign --addsign <unsigned>])
397 AT_KEYWORDS([rpmsign signature])
403 cp "${RPMTEST}"/data/RPMS/hello-2.0-1.x86_64.rpm "${RPMTEST}"/tmp/
404 run rpmsign --key-id 1964C5FC --addsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64.rpm > /dev/null
406 runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm|grep -v digest
408 runroot rpmkeys --import /data/keys/rpm.org-rsa-2048-test.pub
409 runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm|grep -v digest
410 run rpmsign --delsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64.rpm > /dev/null
412 runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm|grep -v digest
416 /tmp/hello-2.0-1.x86_64.rpm:
417 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
418 V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
420 /tmp/hello-2.0-1.x86_64.rpm:
421 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
422 V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
424 /tmp/hello-2.0-1.x86_64.rpm:
429 # ------------------------------
431 AT_SETUP([rpmsign --delsign <package>])
432 AT_KEYWORDS([rpmsign signature])
438 cp "${RPMTEST}"/data/RPMS/hello-2.0-1.x86_64-signed.rpm "${RPMTEST}"/tmp/
440 runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64-signed.rpm|grep -v digest
442 run rpmsign --delsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64-signed.rpm > /dev/null
443 runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64-signed.rpm|grep -v digest
447 /tmp/hello-2.0-1.x86_64-signed.rpm:
448 Header V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
449 V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
451 /tmp/hello-2.0-1.x86_64-signed.rpm:
456 # ------------------------------
458 AT_SETUP([rpmsign --addsign <signed>])
459 AT_KEYWORDS([rpmsign signature])
465 cp "${RPMTEST}"/data/RPMS/hello-2.0-1.x86_64-signed.rpm "${RPMTEST}"/tmp/
466 run rpmsign --key-id 1964C5FC --addsign "${RPMTEST}"/tmp/hello-2.0-1.x86_64-signed.rpm 2>&1 |grep -q "already contains identical signature, skipping"