From 8d47c693de9c80083c612af9adba6bb03bdd3bf3 Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Fri, 29 Nov 2024 09:22:53 +0100
Subject: [PATCH] Don't allow installing packages without ARCH or OS

We had an exception for public key packages in rpmte. With those now
being handled in the keystore without going through the transaction
machinery this is no longer needed. This also prevents people from just
contrsucting their own pubkey packages and install them.

We still allow removing gpg-pubkey packages but give a warning pointing
people to rpmkeys.

Resolves: #3344
---
 lib/rpmte.cc       | 10 +++++++---
 tests/rpmsigdig.at |  3 ++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/lib/rpmte.cc b/lib/rpmte.cc
index 6b98918752..7794ffd7ff 100644
--- a/lib/rpmte.cc
+++ b/lib/rpmte.cc
@@ -159,9 +159,13 @@ static int addTE(rpmte p, Header h, fnpyKey key, rpmRelocation * relocs)
     p->arch = headerGetAsString(h, RPMTAG_ARCH);
     p->os = headerGetAsString(h, RPMTAG_OS);
 
-    /* gpg-pubkey's dont have os or arch (sigh), for others they are required */
-    if (!rstreq(p->name, "gpg-pubkey") && (p->arch == NULL || p->os == NULL))
-	goto exit;
+    if (p->arch == NULL || p->os == NULL) {
+	if (p->type == TR_REMOVED && rstreq(p->name, "gpg-pubkey")) {
+	    rpmlog(RPMLOG_WARNING, "Erasing gpg-pubkey packages is deprecated! Use rpmkeys.\n");
+	} else {
+	    goto exit;
+	}
+    }
 
     p->isSource = headerIsSource(h);
     
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index c0bcced292..6eef8d514e 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -130,7 +130,8 @@ runroot rpm -qa gpg-pubkey
 ],
 [0],
 [],
-[])
+[warning: Erasing gpg-pubkey packages is deprecated! Use rpmkeys.
+])
 RPMTEST_CLEANUP
 
 AT_SETUP([rpmkeys migrate from keyid to fingerprint (rpmdb)])