Skip to content

Expose RPM signature information (for RPM DB and RPM archives) #3179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wagoodman merged 12 commits into from
May 15, 2025
Merged

Expose RPM signature information (for RPM DB and RPM archives) #3179

wagoodman merged 12 commits into from
May 15, 2025

Conversation

@ralphbean
Copy link
Contributor

@ralphbean ralphbean commented Aug 30, 2024

This helps with more confident identification of an rpm.

In theory, two rpms can be built that have the same purl string, and otherwise look identical in syft's output, but the PGP information would distinguish them as signed either by different keys, or signed at different times.

In practice, this usually makes no difference since rpms tend to have unique name/version/release strings. This gives increased confidence about the identity of the rpm found in the db.

@github-actions github-actions bot added the json-schema Changes the json schema label Aug 30, 2024
@ralphbean ralphbean marked this pull request as draft August 30, 2024 19:25
@ralphbean
Copy link
Contributor Author

ralphbean commented Aug 30, 2024

I still need to get some signature information into the tests before this is ready for review.

@ralphbean @wagoodman
feat: expose rpm signature information
49dc367 
This helps with more confident identification of an rpm.

In theory, two rpms can be built that have the same purl string, and
otherwise look identical in syft's output, but the PGP information
would distinguish them as signed either by different keys, or signed at
different times.

In practice, this usually makes no difference since rpms tend to have
unique name/version/release strings. This just gives increased
confidence about the identity of the rpm found in the db.

Signed-off-by: Ralph Bean <rbean@redhat.com>
@ralphbean @wagoodman
chore: generate json schema
3a64d61 
Signed-off-by: Ralph Bean <rbean@redhat.com>
@ralphbean
Copy link
Contributor Author

ralphbean commented Sep 15, 2024

(I spent some time trying to get the test suite working locally on main branch, but have so far failed. Just FYI, I'm not totally ignoring this.)

@wagoodman
Copy link
Contributor

wagoodman commented Oct 23, 2024

no problem @ralphbean -- shout out if there is something we can do to help!

wagoodman added 2 commits May 8, 2025 15:58
@wagoodman
Merge remote-tracking branch 'origin/main' into rpm-pgp
46345c6 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
re-generate json schema
71a242f 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
Copy link
Contributor

wagoodman commented May 8, 2025

The upstream lib doesn't seem to be working when the backing store is sqlite (where it is working when it's bdb)

Screenshot 2025-05-08 at 4 24 53 PM

Technically that doesn't affect the functionality, but it does make generating a test case a little harder. I might poke upstream to see what's going on.

@wagoodman
rename to a more generic signature field
19c372e 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
Copy link
Contributor

wagoodman commented May 12, 2025
edited
Loading

I've got a fix upstream for this knqyf263/go-rpmdb#58, which would populate a new RSAHeader field. Pushing the code change that requires this (so everythin should fail) but once merged upstream we can update this branch to use the released code then rerun.

@wagoodman
rename rpm.pgp to rpm.signatures
7319b13 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman self-assigned this May 12, 2025
@wagoodman wagoodman added this to OSS May 12, 2025
@wagoodman wagoodman moved this to In Progress in OSS May 12, 2025
wagoodman added 3 commits May 15, 2025 09:12
@wagoodman
split out signature fields
db797d1 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
Merge remote-tracking branch 'origin/main' into rpm-pgp
b493bb9 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
bump json schema
21897da 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
Copy link
Contributor

wagoodman commented May 15, 2025

We don't have to wait for upstream to merge this -- we'll use the fork for now and when merged, switch to using upstream again.

@wagoodman wagoodman marked this pull request as ready for review May 15, 2025 13:16
@wagoodman
include RPM archives
44cf17a 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman changed the title feat: expose rpm signature information Expose rpm signature information (for RPM DB and RPM archives) May 15, 2025
@wagoodman wagoodman moved this from In Progress to In Review in OSS May 15, 2025
@wagoodman
update json schema
8ec7ba2 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman changed the title Expose rpm signature information (for RPM DB and RPM archives) Expose RPM signature information (for RPM DB and RPM archives) May 15, 2025
@wagoodman
dont fail on unknown signature type
0ebd1f2 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman enabled auto-merge (squash) May 15, 2025 15:49
This was referenced May 15, 2025
Open
Open
@wagoodman wagoodman merged commit b369b02 into anchore:main May 15, 2025
13 checks passed
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS May 15, 2025
@wagoodman wagoodman mentioned this pull request May 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@wagoodman wagoodman

Labels

json-schema Changes the json schema

Projects

OSS
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ralphbean @wagoodman