From b6a579397317d9cbb98df12fd9079872637e2ff7 Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Fri, 29 Nov 2024 16:13:00 +0100
Subject: [PATCH] Ensure gpg-pubkey packages not having OS and ARCH

Reject normal packages named gpg-pubkey which do have OS and ARCH.
Only packages from properly imported keys don't.
---
 lib/keystore.cc | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/keystore.cc b/lib/keystore.cc
index a64ef07d6a..382a028e83 100644
--- a/lib/keystore.cc
+++ b/lib/keystore.cc
@@ -247,11 +247,17 @@ rpmRC keystore_rpmdb::load_keys(rpmtxn txn, rpmKeyring keyring)
     while ((h = rpmdbNextIterator(mi)) != NULL) {
 	struct rpmtd_s pubkeys;
 	const char *key;
+	char *nevr = headerGetAsString(h, RPMTAG_NEVR);
 
-	if (!headerGet(h, RPMTAG_PUBKEYS, &pubkeys, HEADERGET_MINMEM))
-	   continue;
+	/* don't allow normal packages named gpg-pubkey */
+	if (headerIsEntry(h, RPMTAG_ARCH) || headerIsEntry(h, RPMTAG_OS) ||
+	    !headerGet(h, RPMTAG_PUBKEYS, &pubkeys, HEADERGET_MINMEM))
+	{
+	    rpmlog(RPMLOG_WARNING, _("%s is not a valid public key\n"), nevr);
+	    free(nevr);
+	    continue;
+	}
 
-	char *nevr = headerGetAsString(h, RPMTAG_NEVR);
 	while ((key = rpmtdNextString(&pubkeys))) {
 	    uint8_t *pkt;
 	    size_t pktlen;