Don't allow installing packages without ARCH or OS

We had an exception for public key packages in rpmte. With those now being handled in the keystore without going through the transaction machinery this is no longer needed. This also prevents people from just contrsucting their own pubkey packages and install them. We still allow removing gpg-pubkey packages but give a warning pointing people to rpmkeys. Resolves: rpm-software-management#3344
ffesti · Nov 29, 2024 · 8d47c69 · 8d47c69
1 parent 51f4831
commit 8d47c69
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/lib/rpmte.cc b/lib/rpmte.cc
@@ -159,9 +159,13 @@ static int addTE(rpmte p, Header h, fnpyKey key, rpmRelocation * relocs)
     p->arch = headerGetAsString(h, RPMTAG_ARCH);
     p->os = headerGetAsString(h, RPMTAG_OS);
 
-    /* gpg-pubkey's dont have os or arch (sigh), for others they are required */
-    if (!rstreq(p->name, "gpg-pubkey") && (p->arch == NULL || p->os == NULL))
-	goto exit;
+    if (p->arch == NULL || p->os == NULL) {
+	if (p->type == TR_REMOVED && rstreq(p->name, "gpg-pubkey")) {
+	    rpmlog(RPMLOG_WARNING, "Erasing gpg-pubkey packages is deprecated! Use rpmkeys.\n");
+	} else {
+	    goto exit;
+	}
+    }
 
     p->isSource = headerIsSource(h);
 

diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
@@ -130,7 +130,8 @@ runroot rpm -qa gpg-pubkey
 ],
 [0],
 [],
-[])
+[warning: Erasing gpg-pubkey packages is deprecated! Use rpmkeys.
+])
 RPMTEST_CLEANUP
 
 AT_SETUP([rpmkeys migrate from keyid to fingerprint (rpmdb)])
-Original file line number
+Diff line change
@@ Expand Up / @@ -130,7 +130,8 @@ runroot rpm -qa gpg-pubkey @@
     ],
     [0],
     [],
-    [])
+    [warning: Erasing gpg-pubkey packages is deprecated! Use rpmkeys.
+    ])
     RPMTEST_CLEANUP
     AT_SETUP([rpmkeys migrate from keyid to fingerprint (rpmdb)])
@@ Expand Down @@