From a22f12ab6a68499e10d26e1ee7559a448711c12a Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Mon, 27 May 2024 19:04:49 +0300
Subject: [PATCH] install: Detect bad file permissions in RPMs

When building the Dangerzone RPM package, detect if the files bundled in
it have any incorrect permissions. We have seen in the past that
building RPMs from the Dangerzone source, mounted to a macOS Docker
container, can lead to files readable only by the root user (600 /
rw-------).

Refs #727
---
 install/linux/dangerzone.spec | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/install/linux/dangerzone.spec b/install/linux/dangerzone.spec
index c4d37fa..33e875e 100644
--- a/install/linux/dangerzone.spec
+++ b/install/linux/dangerzone.spec
@@ -258,6 +258,17 @@ install -m 755 -d %{buildroot}/etc/qubes-rpc
 install -m 755 qubes/* %{buildroot}/etc/qubes-rpc
 %endif
 
+%check
+# Detect if the filesystem has been affecting our file permissions.
+bad_files=$(find %{buildroot} -perm 0600)
+if [ -n "${bad_files}" ]; then
+    echo "Error while building the Dangerzone RPM. Detected the following files with wrong permissions (600):"
+    echo ${bad_files}
+    echo ""
+    echo "For more info about this error, see https://github.com/freedomofpress/dangerzone/issues/727"
+    exit 1
+fi
+
 %files -f %{pyproject_files}
 /usr/bin/dangerzone
 /usr/bin/dangerzone-cli