Skip to content

Commit

Permalink
daemon/rpm-c.c: Disable signature checking in librpm
Browse files Browse the repository at this point in the history
Older distros (eg CentOS 6) used SHA-1 RPM package signatures which
some newer distros (eg RHEL 9.0) prevent us from verifying.

This resulted in packages with SHA-1 signatures being skipped by
librpm (there is a warning in debug output, but if you're not looking
at that then the package is silently ignored).  In some cases
essential packages like the kernel were skipped, which would be
visible as a failure of virt-v2v.  In other cases (eg virt-inspector)
you'd just see fewer installed packages in the <applications> list.

Since verifying package signatures is not essential for inspection,
disable this feature in librpm.

Reported-by: Xiaodai Wang
Thanks: Panu Matilainen
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2064182
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
  • Loading branch information
rwmjones committed Mar 15, 2022
1 parent 1b61ad0 commit aa6f803
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions daemon/rpm-c.c
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,12 @@ value
guestfs_int_daemon_rpm_start_iterator (value unitv)
{
CAMLparam1 (unitv);

ts = rpmtsCreate ();

/* Disable signature checking (RHBZ#2064182). */
rpmtsSetVSFlags (ts, rpmtsVSFlags (ts) | RPMVSF_MASK_NOSIGNATURES);

iter = rpmtsInitIterator (ts, RPMDBI_PACKAGES, NULL, 0);
CAMLreturn (Val_unit);
}
Expand Down

0 comments on commit aa6f803

Please sign in to comment.