Issue a warning when signing created an OpenPGP v3 signature

https://bugzilla.redhat.com/show_bug.cgi?id=2141686 revealed that much
of the rpm-ecosystem is still using the obsolete v3 OpenPGP signature
format, I think largely due to workarounds for legacy rpm versions (from
around the turn of the millennium) that have just been forgotten in
place. Lets at least issue a wake-up warning when that happens.

Unfortunately this is can't really be tested as current GnuPG versions
just ignore any --force-v3-sigs arguments.

Fixes: #2286
(cherry picked from commit ee4356ef27180c370c311ce57d9829adc74264a1)

1 files changed, 7 insertions, 0 deletions

diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index 9a525961b..553a58ec1 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -140,6 +140,7 @@ static rpmtd makeSigTag(Header sigh, int ishdr, uint8_t *pkt, size_t pktlen)
     rpmtd sigtd = NULL;
     unsigned int hash_algo;
     unsigned int pubkey_algo;
+    int ver;
 
     if (pgpPrtParams(pkt, pktlen, PGPTAG_SIGNATURE, &sigp)) {
 	rpmlog(RPMLOG_ERR, _("Unsupported PGP signature\n"));
@@ -168,6 +169,12 @@ static rpmtd makeSigTag(Header sigh, int ishdr, uint8_t *pkt, size_t pktlen)
 	break;
     }
 
+    ver = pgpDigParamsVersion(sigp);
+    if (ver < 4) {
+	rpmlog(RPMLOG_WARNING, _("Deprecated OpenPGP signature version %d\n"),
+		ver);
+    }
+
     /* Looks sane, create the tag data */
     sigtd = rpmtdNew();
     sigtd->count = pktlen;