Don't allow installing gpg-pubkey packages

People could install gpg-pubkey if they had the ARCH and OS tag set. Do not allow that.
ffesti · Nov 30, 2024 · 5881924 · 5881924
1 parent 5e3db70
commit 5881924
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/lib/rpmte.cc b/lib/rpmte.cc
@@ -178,6 +178,11 @@ static int addTE(rpmte p, Header h, fnpyKey key, rpmRelocation * relocs)
 	}
     }
 
+    if (p->type != TR_REMOVED && rstreq(p->name, "gpg-pubkey")) {
+	rpmlog(RPMLOG_ERR, "installing gpg-pubkey packages is not allowed. use rpmkeys instead\n");
+	goto exit;
+    }
+
     p->isSource = headerIsSource(h);
 
     p->NEVR = headerGetAsString(h, RPMTAG_NEVR);

diff --git a/tests/rpmpython.at b/tests/rpmpython.at
@@ -365,6 +365,23 @@ error: Package is missing version
 error: Package is missing release
 ])
 
+RPMPY_TEST([add bogus package to transaction 4],[
+
+h = ts.hdrFromFdno('${RPMDATA}/RPMS/hello-1.0-1.ppc64.rpm')
+del h["name"]
+h["name"] = "gpg-pubkey"
+try:
+    ts.addInstall(h, 'foo', 'u')
+except rpm.error as err:
+    myprint(err)
+for e in ts:
+    myprint(e.NEVRA())
+],
+[adding upgrade to transaction failed
+],
+[error: installing gpg-pubkey packages is not allowed. use rpmkeys instead
+])
+
 RPMPY_TEST([transaction element userdata],[
 mydata = { 'foo': 'bar', 'capstest': 'lock' }
 ts.addInstall('${RPMDATA}/RPMS/foo-1.0-1.noarch.rpm', 'u')