Ensure gpg-pubkey packages not having OS and ARCH

Reject normal packages named gpg-pubkey which do have OS and ARCH. Only packages from properly imported keys don't.
ffesti · Dec 3, 2024 · b6a5793 · b6a5793
1 parent 8425def
commit b6a5793
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/lib/keystore.cc b/lib/keystore.cc
@@ -247,11 +247,17 @@ rpmRC keystore_rpmdb::load_keys(rpmtxn txn, rpmKeyring keyring)
     while ((h = rpmdbNextIterator(mi)) != NULL) {
 	struct rpmtd_s pubkeys;
 	const char *key;
+	char *nevr = headerGetAsString(h, RPMTAG_NEVR);
 
-	if (!headerGet(h, RPMTAG_PUBKEYS, &pubkeys, HEADERGET_MINMEM))
-	   continue;
+	/* don't allow normal packages named gpg-pubkey */
+	if (headerIsEntry(h, RPMTAG_ARCH) || headerIsEntry(h, RPMTAG_OS) ||
+	    !headerGet(h, RPMTAG_PUBKEYS, &pubkeys, HEADERGET_MINMEM))
+	{
+	    rpmlog(RPMLOG_WARNING, _("%s is not a valid public key\n"), nevr);
+	    free(nevr);
+	    continue;
+	}
 
-	char *nevr = headerGetAsString(h, RPMTAG_NEVR);
 	while ((key = rpmtdNextString(&pubkeys))) {
 	    uint8_t *pkt;
 	    size_t pktlen;