meta-integrity: rpm: Add back in required patches for rocko

In 59a9f43b899c ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream.  However, rocko ships with an older version
of RPM and still needs these patches.  Add conditional logic to apply
these patches only for rocko.

Signed-off-by: Tom Rini <trini@konsulko.com>

12 files changed, 797 insertions, 0 deletions

diff --git a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc
index 1945cc2..172d5a2 100644
--- a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc
+++ b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc
@@ -1,5 +1,20 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/rpm:"
 
+ROCKO_SRC_URI = "\
+    file://0001-Pass-sign-arguments-to-signature-deletion-too.patch \
+    file://0002-Beat-some-sense-into-rpmsign-cli-parsing.patch \
+    file://0003-Fix-thinko-typo-in-file-signing-error-message.patch \
+    file://0004-Bury-get_fskpass-inside-rpmsign-utility.patch \
+    file://0005-Dont-advertise-file-signing-features-if-support-not-.patch \
+    file://0006-Remove-bunch-of-redundant-environ-declarations.patch \
+    file://0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch \
+    file://0008-Move-key-password-helper-variables-to-local-scope.patch \
+    file://0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch \
+    file://0010-Fix-a-number-of-problems-in-get_fskpass.patch \
+    file://0011-Bump-file-digests-to-SHA256-by-default-finally.patch \
+"
+SRC_URI += "${@bb.utils.contains('LAYERSERIES_CORENAMES', 'rocko', '${ROCKO_SRC_URI}', '', d)}"
+
 PACKAGECONFIG = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'imaevm', '', d)}"
 
 # IMA signing support is provided by RPM plugin.
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch b/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch
new file mode 100644
index 0000000..a2c453f
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch
@@ -0,0 +1,162 @@
+From 23dc36f0d587495f2d29ebefd9e46437069b5a2d Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Mon, 29 May 2017 16:11:55 +0300
+Subject: [PATCH] Pass sign arguments to signature deletion too
+
+Refactor rpmsign and python bindings to be more similar on both
+addsign/delsign operations, and always pass the signing arguments
+along. Deletion doesn't actually (yet) use the arguments for anything
+but makes things more symmetric (I remember having doubts about
+this when adding - reminder to self: if in doubt, add more arguments ;)
+
+Yet another API break, but what the hey... Other than that, behavior is
+not supposed to change here.
+---
+ python/rpmsmodule.c | 28 ++++++++++++++++------------
+ rpmsign.c           | 13 +++++++------
+ sign/rpmgensig.c    |  2 +-
+ sign/rpmsign.h      |  3 ++-
+ 4 files changed, 26 insertions(+), 20 deletions(-)
+
+diff --git a/python/rpmsmodule.c b/python/rpmsmodule.c
+index 0601353b9..72465221d 100644
+--- a/python/rpmsmodule.c
++++ b/python/rpmsmodule.c
+@@ -5,32 +5,36 @@
+ static char rpms__doc__[] =
+ "";
+ 
++static int parseSignArgs(PyObject * args, PyObject *kwds,
++                       const char **path, struct rpmSignArgs *sargs)
++{
++    char * kwlist[] = { "path", "keyid", "hashalgo", NULL };
++
++    memset(sargs, 0, sizeof(*sargs));
++    return PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist,
++                                   path, &sargs->keyid, &sargs->hashalgo);
++}
++
+ static PyObject * addSign(PyObject * self, PyObject * args, PyObject *kwds)
+ {
+     const char *path = NULL;
+-    char * kwlist[] = { "path", "keyid", "hashalgo", NULL };
+-    struct rpmSignArgs sig, *sigp = NULL;
++    struct rpmSignArgs sargs;
+ 
+-    memset(&sig, 0, sizeof(sig));
+-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist,
+-                               &path, &sig.keyid, &sig.hashalgo))
++    if (parseSignArgs(args, kwds, &path, &sargs))
+        return NULL;
+ 
+-    if (sig.keyid || sig.hashalgo)
+-       sigp = &sig;
+-
+-    return PyBool_FromLong(rpmPkgSign(path, sigp) == 0);
++    return PyBool_FromLong(rpmPkgSign(path, &sargs) == 0);
+ }
+ 
+ static PyObject * delSign(PyObject * self, PyObject * args, PyObject *kwds)
+ {
+     const char *path = NULL;
+-    char * kwlist[] = { "path", NULL };
++    struct rpmSignArgs sargs;
+ 
+-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "s", kwlist, &path))
++    if (parseSignArgs(args, kwds, &path, &sargs))
+        return NULL;
+ 
+-    return PyBool_FromLong(rpmPkgDelSign(path) == 0);
++    return PyBool_FromLong(rpmPkgDelSign(path, &sargs) == 0);
+ }
+ 
+ /*
+diff --git a/rpmsign.c b/rpmsign.c
+index 3834b505e..0402af556 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -25,6 +25,8 @@ static int signfiles = 0, fskpass = 0;
+ static char * fileSigningKey = NULL;
+ static char * fileSigningKeyPassword = NULL;
+ 
++static struct rpmSignArgs sargs = {NULL, 0, 0};
++
+ static struct poptOption signOptsTable[] = {
+     { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN,
+        N_("sign package(s)"), NULL },
+@@ -54,11 +56,10 @@ static struct poptOption optionsTable[] = {
+ };
+ 
+ /* TODO: permit overriding macro setup on the command line */
+-static int doSign(poptContext optCon)
++static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+ {
+     int rc = EXIT_FAILURE;
+     char * name = rpmExpand("%{?_gpg_name}", NULL);
+-    struct rpmSignArgs sig = {NULL, 0, 0};
+     char *key = NULL;
+ 
+     if (rstreq(name, "")) {
+@@ -92,13 +93,13 @@ static int doSign(poptContext optCon)
+            free(fileSigningKeyPassword);
+        }
+ 
+-       sig.signfiles = 1;
++       sargs->signfiles = 1;
+     }
+ 
+     const char *arg;
+     rc = 0;
+     while ((arg = poptGetArg(optCon)) != NULL) {
+-       rc += rpmPkgSign(arg, &sig);
++       rc += rpmPkgSign(arg, sargs);
+     }
+ 
+ exit:
+@@ -133,12 +134,12 @@ int main(int argc, char *argv[])
+     switch (mode) {
+     case MODE_ADDSIGN:
+     case MODE_RESIGN:
+-       ec = doSign(optCon);
++       ec = doSign(optCon, &sargs);
+        break;
+     case MODE_DELSIGN:
+        ec = 0;
+        while ((arg = poptGetArg(optCon)) != NULL) {
+-           ec += rpmPkgDelSign(arg);
++           ec += rpmPkgDelSign(arg, &sargs);
+        }
+        break;
+     default:
+diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
+index 4f5ff7b59..32bcfb3fb 100644
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -863,7 +863,7 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args)
+     return rc;
+ }
+ 
+-int rpmPkgDelSign(const char *path)
++int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args)
+ {
+     return rpmSign(path, 1, 0);
+ }
+diff --git a/sign/rpmsign.h b/sign/rpmsign.h
+index b41e3caab..bed8d6245 100644
+--- a/sign/rpmsign.h
++++ b/sign/rpmsign.h
+@@ -31,9 +31,10 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args);
+ /** \ingroup rpmsign
+  * Delete signature(s) from a package
+  * @param path         path to package
++ * @param args         signing parameters (or NULL for defaults)
+  * @return             0 on success
+  */
+-int rpmPkgDelSign(const char *path);
++int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args);
+ 
+ #ifdef __cplusplus
+ }
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch b/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch
new file mode 100644
index 0000000..34f35bc
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch
@@ -0,0 +1,43 @@
+From 8bcfd98c0545eaf98bbc99e56cc2118c995a8fad Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 8 Jun 2017 12:39:53 +0300
+Subject: [PATCH] Beat some sense into rpmsign cli parsing
+
+Separate missing mode and several modes, print usage in the former
+and mumble about modes only if more than one actually specified.
+---
+ rpmsign.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/rpmsign.c b/rpmsign.c
+index 0402af556..de6f79384 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -14,12 +14,13 @@ char ** environ = NULL;
+ #endif
+ 
+ enum modes {
++    MODE_NONE    = 0,
+     MODE_ADDSIGN = (1 << 0),
+     MODE_RESIGN  = (1 << 1),
+     MODE_DELSIGN = (1 << 2),
+ };
+ 
+-static int mode = 0;
++static int mode = MODE_NONE;
+ 
+ static int signfiles = 0, fskpass = 0;
+ static char * fileSigningKey = NULL;
+@@ -142,6 +143,9 @@ int main(int argc, char *argv[])
+            ec += rpmPkgDelSign(arg, &sargs);
+        }
+        break;
++    case MODE_NONE:
++       printUsage(optCon, stderr, 0);
++       break;
+     default:
+        argerror(_("only one major mode may be specified"));
+        break;
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch b/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch
new file mode 100644
index 0000000..5452778
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch
@@ -0,0 +1,25 @@
+From 26cae3941f68c96e44d8126fea330ef7f0327913 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 8 Jun 2017 12:42:00 +0300
+Subject: [PATCH] Fix %% -> $$ thinko/typo in file signing error message
+
+---
+ rpmsign.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rpmsign.c b/rpmsign.c
+index de6f79384..66ab8e5eb 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -75,7 +75,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+     if (signfiles) {
+        key = rpmExpand("%{?_file_signing_key}", NULL);
+        if (rstreq(key, "")) {
+-           fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
++           fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+            goto exit;
+        }
+ 
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch b/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch
new file mode 100644
index 0000000..6906a39
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch
@@ -0,0 +1,145 @@
+From 5a76125050c2f389cdc1c3017dff5fec4aef7e57 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 8 Jun 2017 16:55:16 +0300
+Subject: [PATCH] Bury get_fskpass() inside rpmsign utility
+
+librpm is not in the business of providing terminal utility functions,
+file signing might well need to ask for passwords but it doesn't
+have to be a non-prefixed function in a shared library. The library
+provides means to *pass* the password and its up to calling applications
+to ask for it if needed.
+---
+ lib/rpmsignfiles.c | 35 -----------------------------------
+ lib/rpmsignfiles.h |  2 --
+ rpmsign.c          | 37 ++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 36 insertions(+), 38 deletions(-)
+
+diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c
+index 87e4e4265..aacb34647 100644
+--- a/lib/rpmsignfiles.c
++++ b/lib/rpmsignfiles.c
+@@ -7,8 +7,6 @@
+ #include "system.h"
+ #include "imaevm.h"
+ 
+-#include <termios.h>
+-
+ #include <rpm/rpmlog.h>                /* rpmlog */
+ #include <rpm/rpmstring.h>     /* rnibble */
+ #include <rpm/rpmpgp.h>                /* rpmDigestLength */
+@@ -34,39 +32,6 @@ static const char *hash_algo_name[] = {
+ 
+ #define ARRAY_SIZE(a)  (sizeof(a) / sizeof(a[0]))
+ 
+-char *get_fskpass(void)
+-{
+-    struct termios flags, tmp_flags;
+-    char *password, *pwd;
+-    int passlen = 64;
+-
+-    password = malloc(passlen);
+-    if (!password) {
+-       perror("malloc");
+-       return NULL;
+-    }
+-
+-    tcgetattr(fileno(stdin), &flags);
+-    tmp_flags = flags;
+-    tmp_flags.c_lflag &= ~ECHO;
+-    tmp_flags.c_lflag |= ECHONL;
+-
+-    if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
+-       perror("tcsetattr");
+-       return NULL;
+-    }
+-
+-    printf("PEM password: ");
+-    pwd = fgets(password, passlen, stdin);
+-    pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
+-
+-    if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
+-       perror("tcsetattr");
+-       return NULL;
+-    }
+-    return pwd;
+-}
+-
+ static char *signFile(const char *algo, const char *fdigest, int diglen,
+ const char *key, char *keypass)
+ {
+diff --git a/lib/rpmsignfiles.h b/lib/rpmsignfiles.h
+index 52e2482a9..70ed69412 100644
+--- a/lib/rpmsignfiles.h
++++ b/lib/rpmsignfiles.h
+@@ -14,8 +14,6 @@ extern "C" {
+  */
+ rpmRC rpmSignFiles(Header h, const char *key, char *keypass);
+ 
+-char *get_fskpass(void); /* get file signing key password */
+-
+ #ifdef _cplusplus
+ }
+ #endif
+diff --git a/rpmsign.c b/rpmsign.c
+index 66ab8e5eb..6cd63d872 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -1,12 +1,12 @@
+ #include "system.h"
+ #include <errno.h>
+ #include <sys/wait.h>
++#include <termios.h>
+ 
+ #include <popt.h>
+ #include <rpm/rpmcli.h>
+ #include <rpm/rpmsign.h>
+ #include "cliutils.h"
+-#include "lib/rpmsignfiles.h"
+ #include "debug.h"
+ 
+ #if !defined(__GLIBC__) && !defined(__APPLE__)
+@@ -56,6 +56,41 @@ static struct poptOption optionsTable[] = {
+     POPT_TABLEEND
+ };
+ 
++#ifdef WITH_IMAEVM
++static char *get_fskpass(void)
++{
++    struct termios flags, tmp_flags;
++    char *password, *pwd;
++    int passlen = 64;
++
++    password = malloc(passlen);
++    if (!password) {
++       perror("malloc");
++       return NULL;
++    }
++
++    tcgetattr(fileno(stdin), &flags);
++    tmp_flags = flags;
++    tmp_flags.c_lflag &= ~ECHO;
++    tmp_flags.c_lflag |= ECHONL;
++
++    if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
++       perror("tcsetattr");
++       return NULL;
++    }
++
++    printf("PEM password: ");
++    pwd = fgets(password, passlen, stdin);
++    pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
++
++    if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
++       perror("tcsetattr");
++       return NULL;
++    }
++    return pwd;
++}
++#endif
++
+ /* TODO: permit overriding macro setup on the command line */
+ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+ {
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch
new file mode 100644
index 0000000..a3d0e24
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch
@@ -0,0 +1,87 @@
+From a77d2d3476919fdbcba9baf0dd44c98db1620360 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 8 Jun 2017 17:36:28 +0300
+Subject: [PATCH] Dont advertise file signing features if support not built in
+
+ifdef the whole thing out when not enabled, instead of blurting out
+obscure error messages. A few to many ifdefs for my taste but
+that's a topic for another day...
+---
+ rpmsign.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/rpmsign.c b/rpmsign.c
+index 6cd63d872..dce342af0 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -22,9 +22,11 @@ enum modes {
+ 
+ static int mode = MODE_NONE;
+ 
++#ifdef WITH_IMAEVM
+ static int signfiles = 0, fskpass = 0;
+ static char * fileSigningKey = NULL;
+ static char * fileSigningKeyPassword = NULL;
++#endif
+ 
+ static struct rpmSignArgs sargs = {NULL, 0, 0};
+ 
+@@ -35,6 +37,7 @@ static struct poptOption signOptsTable[] = {
+        N_("sign package(s) (identical to --addsign)"), NULL },
+     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
+        N_("delete package signatures"), NULL },
++#ifdef WITH_IMAEVM
+     { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0,
+        N_("sign package(s) files"), NULL},
+     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
+@@ -42,6 +45,7 @@ static struct poptOption signOptsTable[] = {
+        N_("<key>") },
+     { "fskpass", '\0', POPT_ARG_NONE, &fskpass, 0,
+        N_("prompt for file signing key password"), NULL},
++#endif
+     POPT_TABLEEND
+ };
+ 
+@@ -103,6 +107,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+        goto exit;
+     }
+ 
++#ifdef WITH_IMAEVM
+     if (fileSigningKey) {
+        rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
+     }
+@@ -115,11 +120,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+        }
+ 
+        if (fskpass) {
+-#ifndef WITH_IMAEVM
+-           argerror(_("--fskpass may only be specified when signing files"));
+-#else
+            fileSigningKeyPassword = get_fskpass();
+-#endif
+        }
+ 
+        rpmPushMacro(NULL, "_file_signing_key_password", NULL,
+@@ -131,6 +132,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+ 
+        sargs->signfiles = 1;
+     }
++#endif
+ 
+     const char *arg;
+     rc = 0;
+@@ -163,9 +165,11 @@ int main(int argc, char *argv[])
+        argerror(_("no arguments given"));
+     }
+ 
++#ifdef WITH_IMAEVM
+     if (fileSigningKey && !signfiles) {
+        argerror(_("--fskpath may only be specified when signing files"));
+     }
++#endif
+ 
+     switch (mode) {
+     case MODE_ADDSIGN:
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch b/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch
new file mode 100644
index 0000000..8260865
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch
@@ -0,0 +1,85 @@
+From 8fae14f4dfc655dabd3de11be4d7e9b7c1cb6898 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 9 Jun 2017 11:37:03 +0300
+Subject: [PATCH] Remove bunch of redundant environ declarations
+
+rpmsign.c used to actually use "environ" to pass to execve(), but
+that call moved to librpmsign a long, long time ago. rpmdb.c and
+rpmkeys.c never used it at all but guess it was copy-paste inherited
+from rpmsign.c back in the day (dfbaa77152ccf98524c4f27afe85d32e6f690522)
+
+rpmgensig.c actually refers to environ, but this is a POSIX required
+variable and while Apple has managed to screw it up, it's handled
+in system.h and that must be sufficient for all relevant systems
+as we also refer to environ in rpmfileutil.c open_dso() and there's
+no fake environ definition there. So drop the one in rpmgensig.c too.
+---
+ rpmdb.c          | 4 ----
+ rpmkeys.c        | 4 ----
+ rpmsign.c        | 4 ----
+ sign/rpmgensig.c | 4 ----
+ 4 files changed, 16 deletions(-)
+
+diff --git a/rpmdb.c b/rpmdb.c
+index 67630d00c..25c088da9 100644
+--- a/rpmdb.c
++++ b/rpmdb.c
+@@ -6,10 +6,6 @@
+ #include "cliutils.h"
+ #include "debug.h"
+ 
+-#if !defined(__GLIBC__) && !defined(__APPLE__)
+-char ** environ = NULL;
+-#endif
+-
+ enum modes {
+     MODE_INITDB                = (1 << 0),
+     MODE_REBUILDDB     = (1 << 1),
+diff --git a/rpmkeys.c b/rpmkeys.c
+index 0ecc65ed1..2b60a729e 100644
+--- a/rpmkeys.c
++++ b/rpmkeys.c
+@@ -5,10 +5,6 @@
+ #include "cliutils.h"
+ #include "debug.h"
+ 
+-#if !defined(__GLIBC__) && !defined(__APPLE__)
+-char ** environ = NULL;
+-#endif
+-
+ enum modes {
+     MODE_CHECKSIG      = (1 << 0),
+     MODE_IMPORTKEY     = (1 << 1),
+diff --git a/rpmsign.c b/rpmsign.c
+index dce342af0..04738c052 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -9,10 +9,6 @@
+ #include "cliutils.h"
+ #include "debug.h"
+ 
+-#if !defined(__GLIBC__) && !defined(__APPLE__)
+-char ** environ = NULL;
+-#endif
+-
+ enum modes {
+     MODE_NONE    = 0,
+     MODE_ADDSIGN = (1 << 0),
+diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
+index 141ad1530..5c04e9218 100644
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -25,10 +25,6 @@
+ 
+ #include "debug.h"
+ 
+-#if !defined(__GLIBC__) && !defined(__APPLE__)
+-char ** environ = NULL;
+-#endif
+-
+ typedef struct sigTarget_s {
+     FD_t fd;
+     const char *fileName;
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch
new file mode 100644
index 0000000..cdfc2a0
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch
@@ -0,0 +1,43 @@
+From 5a6acd24a55d31a7c7e68dc4e46149598f1699a4 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 9 Jun 2017 12:33:23 +0300
+Subject: [PATCH] Dont push NULL-bodied macros (in case of get_fskpass()
+ failure)
+
+---
+ rpmsign.c        | 4 ++--
+ sign/rpmgensig.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/rpmsign.c b/rpmsign.c
+index 04738c052..578079a4d 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -119,9 +119,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+            fileSigningKeyPassword = get_fskpass();
+        }
+ 
+-       rpmPushMacro(NULL, "_file_signing_key_password", NULL,
+-           fileSigningKeyPassword, RMIL_CMDLINE);
+        if (fileSigningKeyPassword) {
++           rpmPushMacro(NULL, "_file_signing_key_password", NULL,
++                       fileSigningKeyPassword, RMIL_CMDLINE);
+            memset(fileSigningKeyPassword, 0, strlen(fileSigningKeyPassword));
+            free(fileSigningKeyPassword);
+        }
+diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
+index 5c04e9218..073136364 100644
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -538,7 +538,7 @@ static rpmRC includeFileSignatures(FD_t fd, const char *rpm,
+ 
+     key = rpmExpand("%{?_file_signing_key}", NULL);
+ 
+-    keypass = rpmExpand("%{_file_signing_key_password}", NULL);
++    keypass = rpmExpand("%{?_file_signing_key_password}", NULL);
+     if (rstreq(keypass, "")) {
+        free(keypass);
+        keypass = NULL;
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch b/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch
new file mode 100644
index 0000000..362e0c1
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch
@@ -0,0 +1,58 @@
+From 46eadbf33d06a0a97be0845afe09873acb44af3c Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 9 Jun 2017 12:35:43 +0300
+Subject: [PATCH] Move key/password helper variables to local scope
+
+---
+ rpmsign.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/rpmsign.c b/rpmsign.c
+index 578079a4d..35c5ee966 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -21,7 +21,6 @@ static int mode = MODE_NONE;
+ #ifdef WITH_IMAEVM
+ static int signfiles = 0, fskpass = 0;
+ static char * fileSigningKey = NULL;
+-static char * fileSigningKeyPassword = NULL;
+ #endif
+ 
+ static struct rpmSignArgs sargs = {NULL, 0, 0};
+@@ -96,7 +95,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+ {
+     int rc = EXIT_FAILURE;
+     char * name = rpmExpand("%{?_gpg_name}", NULL);
+-    char *key = NULL;
+ 
+     if (rstreq(name, "")) {
+        fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n"));
+@@ -109,7 +107,8 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+     }
+ 
+     if (signfiles) {
+-       key = rpmExpand("%{?_file_signing_key}", NULL);
++       char *fileSigningKeyPassword = NULL;
++       char *key = rpmExpand("%{?_file_signing_key}", NULL);
+        if (rstreq(key, "")) {
+            fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+            goto exit;
+@@ -127,6 +126,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+        }
+ 
+        sargs->signfiles = 1;
++       free(key);
+     }
+ #endif
+ 
+@@ -137,7 +137,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
+     }
+ 
+ exit:
+-    free(key);
+     free(name);
+     return rc;
+ }
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch b/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch
new file mode 100644
index 0000000..4937c46
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch
@@ -0,0 +1,33 @@
+From 542f41a8bdc385ed849170565ac353956a47683a Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 9 Jun 2017 12:45:21 +0300
+Subject: [PATCH] Use rpm memory allocator so we dont need to check for return
+
+---
+ rpmsign.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/rpmsign.c b/rpmsign.c
+index 35c5ee966..a59f2dc1c 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -59,14 +59,9 @@ static struct poptOption optionsTable[] = {
+ static char *get_fskpass(void)
+ {
+     struct termios flags, tmp_flags;
+-    char *password, *pwd;
+     int passlen = 64;
+-
+-    password = malloc(passlen);
+-    if (!password) {
+-       perror("malloc");
+-       return NULL;
+-    }
++    char *password = xmalloc(passlen);
++    char *pwd;
+ 
+     tcgetattr(fileno(stdin), &flags);
+     tmp_flags = flags;
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch b/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch
new file mode 100644
index 0000000..923de03
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch
@@ -0,0 +1,54 @@
+From 46c7bf438e5349676139dba0655faed3b2230827 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Fri, 9 Jun 2017 12:52:08 +0300
+Subject: [PATCH] Fix a number of problems in get_fskpass()
+
+Fix segfault in case of fgets() failure, fix memleak on password
+buffer on failure.
+---
+ rpmsign.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/rpmsign.c b/rpmsign.c
+index a59f2dc1c..ae86f666d 100644
+--- a/rpmsign.c
++++ b/rpmsign.c
+@@ -61,7 +61,7 @@ static char *get_fskpass(void)
+     struct termios flags, tmp_flags;
+     int passlen = 64;
+     char *password = xmalloc(passlen);
+-    char *pwd;
++    char *pwd = NULL;
+ 
+     tcgetattr(fileno(stdin), &flags);
+     tmp_flags = flags;
+@@ -70,17 +70,23 @@ static char *get_fskpass(void)
+ 
+     if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
+        perror("tcsetattr");
+-       return NULL;
++       goto exit;
+     }
+ 
+     printf("PEM password: ");
+     pwd = fgets(password, passlen, stdin);
+-    pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
+ 
+     if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
+        perror("tcsetattr");
+-       return NULL;
++       pwd = NULL;
++       goto exit;
+     }
++
++exit:
++    if (pwd)
++       pwd[strlen(pwd) - 1] = '\0';  /* remove newline */
++    else
++       free(password);
+     return pwd;
+ }
+ #endif
+-- 
+2.11.0
+
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch b/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch
new file mode 100644
index 0000000..68d54ad
--- /dev/null
+++ b/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch
@@ -0,0 +1,47 @@
+From 0cd74ade37d16d282d13e781deb68a219b2c04b9 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 8 Mar 2017 14:51:45 +0200
+Subject: [PATCH] Bump file digests to SHA256 by default, finally
+
+As a part of modernizing the crypto used by rpm, it's way past time
+to use a stronger algorithm for the file digests. The jump from MD5
+is not entirely smooth but at least Fedora and RHEL did that ages ago
+and survived, others should too. And of course you can always flip
+it back to MD5 if you really need to, for eg building packages for
+ancient distro versions.
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ macros.in | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/macros.in b/macros.in
+index 72d4a51ed..49a3dab04 100644
+--- a/macros.in
++++ b/macros.in
+@@ -355,17 +355,17 @@ package or when debugging this package.\
+ 
+ #      Algorithm to use for generating file checksum digests on build.
+ #      If not specified or 0, MD5 is used.
+-#      WARNING: non-MD5 is backwards incompatible, don't enable lightly!
+-#      The supported algorithms may depend on NSS version, as of NSS
+-#      3.11.99.5 the following are supported:
++#      WARNING: non-MD5 is backwards incompatible with rpm < 4.6!
++#      The supported algorithms may depend on the underlying crypto
++#      implementation but generally at least the following are supported:
+ #      1       MD5 (default)
+ #      2       SHA1
+ #      8       SHA256
+ #      9       SHA384
+ #      10      SHA512
+ #
+-#%_source_filedigest_algorithm 1
+-#%_binary_filedigest_algorithm 1
++%_source_filedigest_algorithm  8
++%_binary_filedigest_algorithm  8
+ 
+ #      Configurable vendor information, same as Vendor: in a specfile.
+ #
+-- 
+2.11.0
+