diff options
| author | Anatol Pomozov <anatol.pomozov@gmail.com> | 2020-07-31 18:53:15 +0200 |
|---|---|---|
| committer | Allan McRae <allan@archlinux.org> | 2020-08-10 11:25:59 +0200 |
| commit | f53ac85ff6cd2f74f8157f23a5e21650cd17f372 (patch) | |
| tree | a3ae551555f12ae84d22fdc6de8021fb74d56391 /m4 | |
| parent | 62246b9355867ab83566998303c921af6b1e38ef (diff) | |
| download | pacman-f53ac85ff6cd2f74f8157f23a5e21650cd17f372.tar.gz pacman-f53ac85ff6cd2f74f8157f23a5e21650cd17f372.tar.xz | |
Enable sha256/md5 hash verification if detached signatures are used
Pacman has multiple ways to verify package content integrity:
- gpg signature
- sha256
- md5
These verification mechanisms overlap each other. gpg signatures already contain
hash value of the package content. So if a package signature is present then
pacman ignored the other 2 hash values. This worked well with signtures
embedded into pacman database.
Recently pacman got an ability to handle detached signatures (*.sig files
located next to the package files). If pacman verifies detached signature only
then one can replace pkg+sig files with some other content and pacman still
processes it as a valid package. To prevent it we need to verify
database<->package integrity using hash values stored in the database.
This commit fixes FS#67232
The new debug output is:
checking package integrity...
debug: found cached pkg: /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
debug: sha256sum: 77baf61c62c5570b3a37cf0c3b16c5d9a97dde6fedd1a3528bf0cc5f96dd5e52
debug: checking sha256sum for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
debug: sig data: <from .sig>
debug: checking signature for /var/cache/pacman/pkg/ruby-2.7.1-2-x86_64.pkg.tar.zst
debug: 1 signatures returned
debug: fingerprint: B5971F2C5C10A9A08C60030F786C63F330D7CB92
Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'm4')
0 files changed, 0 insertions, 0 deletions