From de2787a4939ffdc11184a2115289cfb097272ba2 Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Wed, 7 Aug 2024 23:29:08 +0800
Subject: [PATCH 1/2] Add `TAGS` to `TEST_TAGS` and fix bugs found with gogit
 (#31791)

Found at
https://github.com/go-gitea/gitea/pull/31790#issuecomment-2272898915

`unit-tests-gogit` never work since the workflow set `TAGS` with
`gogit`, but the Makefile use `TEST_TAGS`.

This PR adds the values of `TAGS` to `TEST_TAGS`, ensuring that setting
`TAGS` is always acceptable and avoiding confusion about which one
should be set.
---
 Makefile                         |  2 +-
 modules/git/blame_sha256_test.go |  5 +++++
 modules/git/repo_tree_gogit.go   | 11 ++++++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 378de6e8f4..0f72f97673 100644
--- a/Makefile
+++ b/Makefile
@@ -137,7 +137,7 @@ TAGS ?=
 TAGS_SPLIT := $(subst $(COMMA), ,$(TAGS))
 TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags
 
-TEST_TAGS ?= sqlite sqlite_unlock_notify
+TEST_TAGS ?= $(TAGS_SPLIT) sqlite sqlite_unlock_notify
 
 TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMANTIC_WORK_DIR)/node_modules $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR) $(GO_LICENSE_TMP_DIR)
 
diff --git a/modules/git/blame_sha256_test.go b/modules/git/blame_sha256_test.go
index 8cd345714f..da451f22fc 100644
--- a/modules/git/blame_sha256_test.go
+++ b/modules/git/blame_sha256_test.go
@@ -14,6 +14,11 @@ func TestReadingBlameOutputSha256(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
+	if isGogit {
+		t.Skip("Skipping test since gogit does not support sha256")
+		return
+	}
+
 	t.Run("Without .git-blame-ignore-revs", func(t *testing.T) {
 		repo, err := OpenRepository(ctx, "./tests/repos/repo5_pulls_sha256")
 		assert.NoError(t, err)
diff --git a/modules/git/repo_tree_gogit.go b/modules/git/repo_tree_gogit.go
index dc97ce1344..651794a5aa 100644
--- a/modules/git/repo_tree_gogit.go
+++ b/modules/git/repo_tree_gogit.go
@@ -6,11 +6,20 @@
 
 package git
 
-import "github.com/go-git/go-git/v5/plumbing"
+import (
+	"errors"
+
+	"github.com/go-git/go-git/v5/plumbing"
+)
 
 func (repo *Repository) getTree(id ObjectID) (*Tree, error) {
 	gogitTree, err := repo.gogitRepo.TreeObject(plumbing.Hash(id.RawValue()))
 	if err != nil {
+		if errors.Is(err, plumbing.ErrObjectNotFound) {
+			return nil, ErrNotExist{
+				ID: id.String(),
+			}
+		}
 		return nil, err
 	}
 

From 3862b31abb0fcc094e9d042a7093b8bb3af9f885 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Thu, 8 Aug 2024 11:43:04 +0200
Subject: [PATCH 2/2] Fix RPM resource leak (#31794)

Fixes a resource leak introduced by #27069.

- add defer
- move sign code out of `repository.go`
---
 routers/api/packages/rpm/rpm.go     |  9 ++++---
 services/packages/rpm/repository.go | 32 -----------------------
 services/packages/rpm/sign.go       | 39 +++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 36 deletions(-)
 create mode 100644 services/packages/rpm/sign.go

diff --git a/routers/api/packages/rpm/rpm.go b/routers/api/packages/rpm/rpm.go
index 4c822e0999..a00a61c079 100644
--- a/routers/api/packages/rpm/rpm.go
+++ b/routers/api/packages/rpm/rpm.go
@@ -133,19 +133,20 @@ func UploadPackageFile(ctx *context.Context) {
 	}
 	defer buf.Close()
 
-	// if rpm sign enabled
 	if setting.Packages.DefaultRPMSignEnabled || ctx.FormBool("sign") {
-		pri, _, err := rpm_service.GetOrCreateKeyPair(ctx, ctx.Package.Owner.ID)
+		priv, _, err := rpm_service.GetOrCreateKeyPair(ctx, ctx.Package.Owner.ID)
 		if err != nil {
 			apiError(ctx, http.StatusInternalServerError, err)
 			return
 		}
-		buf, err = rpm_service.SignPackage(buf, pri)
+		signedBuf, err := rpm_service.SignPackage(buf, priv)
 		if err != nil {
-			// Not in rpm format, parsing failed.
 			apiError(ctx, http.StatusBadRequest, err)
 			return
 		}
+		defer signedBuf.Close()
+
+		buf = signedBuf
 	}
 
 	pck, err := rpm_module.ParsePackage(buf)
diff --git a/services/packages/rpm/repository.go b/services/packages/rpm/repository.go
index 19968f9b30..bc342e53ab 100644
--- a/services/packages/rpm/repository.go
+++ b/services/packages/rpm/repository.go
@@ -21,7 +21,6 @@ import (
 	rpm_model "code.gitea.io/gitea/models/packages/rpm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/json"
-	"code.gitea.io/gitea/modules/log"
 	packages_module "code.gitea.io/gitea/modules/packages"
 	rpm_module "code.gitea.io/gitea/modules/packages/rpm"
 	"code.gitea.io/gitea/modules/util"
@@ -30,7 +29,6 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
-	"github.com/sassoftware/go-rpmutils"
 )
 
 // GetOrCreateRepositoryVersion gets or creates the internal repository package
@@ -643,33 +641,3 @@ func addDataAsFileToRepo(ctx context.Context, pv *packages_model.PackageVersion,
 		OpenSize:  wc.Written(),
 	}, nil
 }
-
-func SignPackage(rpm *packages_module.HashedBuffer, privateKey string) (*packages_module.HashedBuffer, error) {
-	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(privateKey)))
-	if err != nil {
-		// failed to parse key
-		return nil, err
-	}
-	entity := keyring[0]
-	h, err := rpmutils.SignRpmStream(rpm, entity.PrivateKey, nil)
-	if err != nil {
-		// error signing rpm
-		return nil, err
-	}
-	signBlob, err := h.DumpSignatureHeader(false)
-	if err != nil {
-		// error writing sig header
-		return nil, err
-	}
-	if len(signBlob)%8 != 0 {
-		log.Info("incorrect padding: got %d bytes, expected a multiple of 8", len(signBlob))
-		return nil, err
-	}
-
-	// move fp to sign end
-	if _, err := rpm.Seek(int64(h.OriginalSignatureHeaderSize()), io.SeekStart); err != nil {
-		return nil, err
-	}
-	// create signed rpm buf
-	return packages_module.CreateHashedBufferFromReader(io.MultiReader(bytes.NewReader(signBlob), rpm))
-}
diff --git a/services/packages/rpm/sign.go b/services/packages/rpm/sign.go
new file mode 100644
index 0000000000..820355a638
--- /dev/null
+++ b/services/packages/rpm/sign.go
@@ -0,0 +1,39 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package rpm
+
+import (
+	"bytes"
+	"io"
+	"strings"
+
+	packages_module "code.gitea.io/gitea/modules/packages"
+
+	"github.com/ProtonMail/go-crypto/openpgp"
+	"github.com/sassoftware/go-rpmutils"
+)
+
+func SignPackage(buf *packages_module.HashedBuffer, privateKey string) (*packages_module.HashedBuffer, error) {
+	keyring, err := openpgp.ReadArmoredKeyRing(strings.NewReader(privateKey))
+	if err != nil {
+		return nil, err
+	}
+
+	h, err := rpmutils.SignRpmStream(buf, keyring[0].PrivateKey, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	signBlob, err := h.DumpSignatureHeader(false)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := buf.Seek(int64(h.OriginalSignatureHeaderSize()), io.SeekStart); err != nil {
+		return nil, err
+	}
+
+	// create new buf with signature prefix
+	return packages_module.CreateHashedBufferFromReader(io.MultiReader(bytes.NewReader(signBlob), buf))
+}