The file signing key ID is an unsigned 32 bit value derived (typically) from
the last 4 bytes of the certificate's Subject Key ID field. If this happens to
be larger than a signed int's max value, rpmExpandNumeric clamps it to be
i32::MAX. This will result in the wrong value being embedded in the IMA
signature.
Use the C++ expand_numeric which returns an int64_t, which is enough to parse
any valid keyid.
Fixes: commit b186b739bb6d ("rpmsign: enable signing files with PKCS11 tokens")
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/4218
-- Commit Summary --
* rpmsign: handle _file_sign_key_id values greater than i32::MAX
-- File Changes --
M sign/rpmgensig.cc (9)
M tests/rpmsigdig.at (2)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/4218.patch
https://github.com/rpm-software-management/rpm/pull/4218.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/4218
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
https://lists.rpm.org/mailman/listinfo/rpm-maint
