diff options
| -rw-r--r-- | lib/libalpm/alpm.h | 9 | ||||
| -rw-r--r-- | lib/libalpm/db.c | 18 | ||||
| -rw-r--r-- | lib/libalpm/db.h | 1 | ||||
| -rw-r--r-- | lib/libalpm/signing.c | 2 | ||||
| -rw-r--r-- | lib/libalpm/sync.c | 19 | ||||
| -rw-r--r-- | src/pacman/pacman.c | 18 | ||||
| -rwxr-xr-x | test/pacman/pmdb.py | 6 | ||||
| -rw-r--r-- | test/pacman/tests/sign001.py | 2 | ||||
| -rw-r--r-- | test/pacman/tests/sign002.py | 2 | ||||
| -rwxr-xr-x | test/pacman/util.py | 3 |
10 files changed, 72 insertions, 8 deletions
diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index 150730ce..276d49cb 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -251,6 +251,15 @@ alpm_list_t *alpm_pkg_unused_deltas(pmpkg_t *pkg); int alpm_pkg_check_pgp_signature(pmpkg_t *pkg); +/* GPG signature verification option */ +typedef enum _pgp_verify_t { + PM_PGP_VERIFY_ALWAYS, + PM_PGP_VERIFY_OPTIONAL, + PM_PGP_VERIFY_NEVER +} pgp_verify_t; + +int alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify); + /* * Deltas */ diff --git a/lib/libalpm/db.c b/lib/libalpm/db.c index cb575c8a..f61ea918 100644 --- a/lib/libalpm/db.c +++ b/lib/libalpm/db.c @@ -181,6 +181,24 @@ int SYMEXPORT alpm_db_setserver(pmdb_t *db, const char *url) return 0; } +/** Set the verify gpg signature option for a database. + * @param db database pointer + * @param verify enum pgp_verify_t + * @return 0 on success, -1 on error (pm_errno is set accordingly) + */ +int SYMEXPORT alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify) +{ + ALPM_LOG_FUNC; + + /* Sanity checks */ + ASSERT(db != NULL, RET_ERR(PM_ERR_DB_NULL, -1)); + + db->pgp_verify = verify; + _alpm_log(PM_LOG_DEBUG, "adding VerifySig option to database '%s': %d\n", + db->treename, verify); + + return(0); +} /** Get the name of a package database * @param db pointer to the package database diff --git a/lib/libalpm/db.h b/lib/libalpm/db.h index 75776d71..dfd9f933 100644 --- a/lib/libalpm/db.h +++ b/lib/libalpm/db.h @@ -60,6 +60,7 @@ struct __pmdb_t { pmpkghash_t *pkgcache; alpm_list_t *grpcache; alpm_list_t *servers; + pgp_verify_t pgp_verify; struct db_operations *ops; }; diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 27855798..08e9b297 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -168,6 +168,8 @@ int _alpm_gpgme_checksig(const char *pkgpath, const pmpgpsig_t *sig) if(gpgsig->summary & GPGME_SIGSUM_VALID) { /* good signature, continue */ + _alpm_log(PM_LOG_DEBUG, _("Package %s has a valid signature.\n"), + pkgpath); } else if(gpgsig->summary & GPGME_SIGSUM_GREEN) { /* 'green' signature, not sure what to do here */ _alpm_log(PM_LOG_WARNING, _("Package %s has a green signature.\n"), diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 5e7cf293..5428e40b 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -847,11 +847,17 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) continue; } /* check PGP signature next */ - if(_alpm_gpgme_checksig(filepath, pgpsig) != 0) { - errors++; - *data = alpm_list_add(*data, strdup(filename)); - FREE(filepath); - continue; + pmdb_t *sdb = alpm_pkg_get_db(spkg); + + if(sdb->pgp_verify != PM_PGP_VERIFY_NEVER) { + int ret = _alpm_gpgme_checksig(filepath, pgpsig); + if((sdb->pgp_verify == PM_PGP_VERIFY_ALWAYS && ret != 0) || + (sdb->pgp_verify == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { + errors++; + *data = alpm_list_add(*data, strdup(filename)); + FREE(filepath); + continue; + } } /* load the package file and replace pkgcache entry with it in the target list */ /* TODO: alpm_pkg_get_db() will not work on this target anymore */ @@ -869,9 +875,12 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) i->data = pkgfile; _alpm_pkg_free_trans(spkg); /* spkg has been removed from the target list */ } + PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", 100, numtargs, current); EVENT(trans, PM_TRANS_EVT_INTEGRITY_DONE, NULL, NULL); + + if(errors) { pm_errno = PM_ERR_PKG_INVALID; goto error; diff --git a/src/pacman/pacman.c b/src/pacman/pacman.c index 706e97be..0487ee87 100644 --- a/src/pacman/pacman.c +++ b/src/pacman/pacman.c @@ -1241,6 +1241,24 @@ static int _parseconfig(const char *file, const char *givensection, ret = 1; goto cleanup; } + } else if(strcmp(key, "VerifySig") == 0) { + if (strcmp(value, "Always") == 0) { + ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_ALWAYS); + } else if (strcmp(value, "Optional") == 0) { + ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_OPTIONAL); + } else if (strcmp(value, "Never") == 0) { + ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_NEVER); + } else { + pm_printf(PM_LOG_ERROR, _("invalid value for 'VerifySig' : '%s'\n"), value); + ret = 1; + goto cleanup; + } + if (ret != 0) { + pm_printf(PM_LOG_ERROR, _("could not add pgp verify option to database '%s': %s (%s)\n"), + alpm_db_get_name(db), value, alpm_strerrorlast()); + goto cleanup; + } + pm_printf(PM_LOG_DEBUG, "config: VerifySig for %s: %s\n",alpm_db_get_name(db), value); } else { pm_printf(PM_LOG_WARNING, _("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"), diff --git a/test/pacman/pmdb.py b/test/pacman/pmdb.py index fefb135a..1af24ae9 100755 --- a/test/pacman/pmdb.py +++ b/test/pacman/pmdb.py @@ -89,6 +89,12 @@ class pmdb(object): def __str__(self): return "%s" % self.treename + def getverify(self): + for value in "Always","Never","Optional": + if value in self.treename: + return value + return "Never" + def getpkg(self, name): """ """ diff --git a/test/pacman/tests/sign001.py b/test/pacman/tests/sign001.py index 447cea1e..0ae417b7 100644 --- a/test/pacman/tests/sign001.py +++ b/test/pacman/tests/sign001.py @@ -2,7 +2,7 @@ self.description = "Add a signature to a package DB" sp = pmpkg("pkg1") sp.pgpsig = "asdfasdfsdfasdfsdafasdfsdfasd" -self.addpkg2db("sync", sp) +self.addpkg2db("sync+Always", sp) self.args = "-Ss" diff --git a/test/pacman/tests/sign002.py b/test/pacman/tests/sign002.py index 7b098c0d..b55f331e 100644 --- a/test/pacman/tests/sign002.py +++ b/test/pacman/tests/sign002.py @@ -2,7 +2,7 @@ self.description = "Verify a signature in a sync DB (failure)" sp = pmpkg("pkg1") sp.pgpsig = "iEYEABECAAYFAkhMOggACgkQXC5GoPU6du2WVQCffVxF8GKXJIY4juJBIw/ljLrQxygAnj2QlvsUd7MdFekLX18+Ov/xzgZ1" -self.addpkg2db("sync", sp) +self.addpkg2db("sync+Always", sp) self.args = "-S %s" % sp.name diff --git a/test/pacman/util.py b/test/pacman/util.py index b771a345..47255923 100755 --- a/test/pacman/util.py +++ b/test/pacman/util.py @@ -132,8 +132,9 @@ def mkcfgfile(filename, root, option, db): if key != "local": value = db[key] data.append("[%s]\n" \ + "VerifySig = %s\n" \ "Server = file://%s" \ - % (value.treename, + % (value.treename, value.getverify(), \ os.path.join(root, SYNCREPO, value.treename))) for optkey, optval in value.option.iteritems(): data.extend(["%s = %s" % (optkey, j) for j in optval]) |