summaryrefslogtreecommitdiffstats
path: root/lib/libalpm/signing.c
AgeCommit message (Collapse)AuthorFilesLines
2020-06-18libalpm/signing.c: Fix calculation of packet size in parse_subpacketAllan McRae1-1/+1
Given RFC 4880 provides the code to do this calculation, I am not sure how I managed to stuff that up! This bug was only exposed when a signature made with "include-key-block" was added to the Arch repos, which provided a subpacket with the required size to hit this issue. Signed-off-by: Allan McRae <allan@archlinux.org> (cherry picked from commit 5f6ef895b1dac04c7fb1b63acab2d42c19f91922)
2020-06-18build-aux/update-copyright 2019 2020Allan McRae1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org> (cherry picked from commit e76ec94083235ddc5510ab57b7c2bc12a1d34e8a)
2020-01-14Dereference double pointer before assigning NULLDaniel T. Borelli1-2/+2
Daniel T. Borelli <danieltborelli@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> (cherry picked from commit eaa2770c80f8f3b168b99021e4258d696523d38a)
2019-10-23Update copyright yearsAllan McRae1-1/+1
make update-copyright OLD=2018 NEW=2019 Signed-off-by: Allan McRae <allan@archlinux.org>
2019-10-15libalpm: set errno in signing dummy functionsmorganamilo1-3/+6
This allows pacman to print the correct error message when checking keys and libalpm has been compiled without gpgme support. Signed-off-by: Allan McRae <allan@archlinux.org>
2019-10-15libalpm: fix segfault when -Qip'ing a packagemorganamilo1-1/+2
The dummy checksigs function never sets count to 0, leaving it unitialized. This caused the siglist cleanup to try and free the empty list. Signed-off-by: Allan McRae <allan@archlinux.org>
2019-10-09signing: handle unknown uid in key importChristian Hesse1-0/+5
With unknown uid pacman crashed. Return with error from email_from_uid() if uid is NULL. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-10-07signing: add ability to import keys using a WKDJonas Witschel1-13/+84
Currently pacman relies on the SKS keyserver network to fetch unknown PGP keys. These keyservers are vulnerable to signature spamming attacks, potentionally making it impossible to import the required keys. An alternative to keyservers is a so-called Web Key Directory (WKD), a well-known, trusted location on a server from where the keys can be fetched. This commit adds the ability to retrieve keys from a WKD. Due to the mentioned vulnerabilities, the WKD is tried first, falling back to the keyservers only if no appropriate key is found there. In contrast to keyservers, keys in a WKD are not looked up using their fingerprint, but by email address. Since the email address of the signing key is usually not included in the signature, we will use the packager email address to perform the lookup. Also see FS#63171. Signed-off-by: Jonas Witschel <diabonas@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-10-07signing: move key import confirmation before key_searchJonas Witschel1-23/+27
Ask the user whether they want to import a missing key before even doing a search on the keyserver. This will be useful for getting Web Key Directory support in place: for a WKD, looking up and importing a key are a single action, so the current key_search -> QUESTION -> key_import workflow does not apply. Since only the ID of the package signing key is available before key_search, we display the packager variable in addition to the key ID for user convenience. Signed-off-by: Jonas Witschel <diabonas@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2019-02-04fix various typosmorganamilo1-1/+1
Signed-off-by: morganamilo <morganamilo@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-05-14Remove all modelines from the projectEli Schwartz1-2/+0
Many of these are pointless (e.g. there is no need to explicitly turn on spellchecking and language dictionaries for the manpages by default). The only useful modelines are the ones enforcing the project coding standards for indentation style (and "maybe" filetype/syntax, but everything except the asciidoc manpages and makepkg.conf is already autodetected), and indent style can be applied more easily with .editorconfig Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2018-04-29add missing newline to error messageAllan McRae1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14Update coyrights for 2018Allan McRae1-1/+1
make update-copyright OLD=2017 NEW=201 Signed-off-by: Allan McRae <allan@archlinux.org>
2018-01-11Support new OpenPGP format packets lengthsAllan McRae1-71/+107
RFC 4880 defines two packet formats for OpenPGP. Pacman aborted its key in keyring check with an error message if it encountered the new format. This was fine until some annoying Arch Trusted User generated a key using the new format! Implement the new format. This also required parsing the hashed sub packets. requiring the parsing code to moved to its own function. Signed-off-by: Allan McRae <allan@archlinux.org>
2017-12-07Fix CVE-2016-5434 (DoS/loop and out of boundary read)Nils Freydank1-4/+44
This is a rewrite of Tobias Stoeckmann’s patch from June 2016[1] using functions instead of macros. (Thanks to Tobias for explanations of his patch.) A short question on Freenode IRC showed that macros are generally discouraged and functions should be used. The patch introduces a static size_t length_check() in libalpm/signing.c. [1] Original patch: https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html CVE request (and assignment): http://seclists.org/oss-sec/2016/q2/526 Signed-off-by: Allan McRae <allan@archlinux.org>
2017-01-04Update copyright yearsAllan McRae1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2016-12-05libalpm/signing: support EDDSA from gpgme 1.7.0Christian Hesse1-0/+4
Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Allan McRae <allan@archlinux.org>
2016-10-22Add ALPM_ERR_OK to _alpm_errno_tIvy Foster1-3/+3
This allows functions which return an _alpm_errno_t to always return a genuine _alpm_errno_t for consistency, even in cases where there are no errors. Since ALPM_ERR_OK = 0, their callers can still simply check 'err = some_fn(); if (!err) { ... }'. Signed-off-by: Ivy Foster <ivy.foster@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2016-08-30Add newline to the end of error messages for signature format issuesAllan McRae1-6/+6
Signed-off-by: Allan McRae <allan@archlinux.org>
2016-01-04Update copyright years for 2016Allan McRae1-1/+1
make update-copyright OLD=2015 NEW=2016 Signed-off-by: Allan McRae <allan@archlinux.org>
2015-02-01Update copyright notices for 2015Allan McRae1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2014-10-01_alpm_key_in_keychain: cache known keysAndrew Gregory1-0/+6
Implements FS#38042 Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
2014-08-04signing.c: remove useless error checkAndrew Gregory1-1/+0
CHECK_ERR checks gpg_err which is a local variable. Calling gpg_op_import_result cannot modify it. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2014-06-29libalpm: check for valid public key algorithmChristian Hesse1-0/+12
2014-06-24Update the question callbackOlivier Brunel1-4/+8
Much like with events, instead of using a bunch of void* arguments for all questions, we now send one pointer to an alpm_question_t union. This contains the type of question that was triggered. With this information, a question-specific struct can be accessed in order to get additional arguments. Signed-off-by: Olivier Brunel <jjk@jjacky.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2014-06-02Add compatibility with gpgme-1.5.0Allan McRae1-0/+4
Signed-off-by: Allan McRae <allan@archlinux.org>
2014-01-28Remove ts and sw from vim modeline when noet is setFlorian Pritz1-1/+1
Forcing vim users to view files with a tabstop of 2 seems really unnecessary when noet is set. I find it much easier to read code with ts=4 and I dislike having to override the modeline by hand. Command run: find . -type f -exec sed -i '/vim.* noet/s# ts=2 sw=2##' {} + Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Allan McRae <allan@archlinux.org>
2014-01-10Consistently use #ifdefAllan McRae1-3/+3
Fix the occurances of #if to be #ifdef for consistency.
2014-01-10Fix build with --disable-gpgmeAllan McRae1-30/+30
The alpm_decode_signature function was made available for frontends to display signature information, but this required libalpm to be build with gpgme support. As that function did not require anything from gpgme, have it build unconditionally. Signed-off-by: Allan McRae <allan@archlinux.org>
2014-01-06Update copyright years for 2014Allan McRae1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2013-11-15Fix whitespace and other formatting issuesJason St. John1-12/+12
This commit: -- replaces space-based indents with tabs per the coding standards -- removes extraneous whitespace (e.g. extra spaces between function args) -- adds missing braces for a one-line if statement Signed-off-by: Jason St. John <jstjohn@purdue.edu>
2013-10-31Make functions to decode a signature and extract keyid publicAllan McRae1-3/+3
These are useful for frontends. Signed-off-by: Allan McRae <allan@archlinux.org>
2013-09-04libalpm: avoid name space conflictSami Kerola1-35/+35
The symbol 'err' refers to err() from err.h, and is wisest to be avoided as a variable name. Reference: http://man7.org/linux/man-pages/man3/err.3.html Signed-off-by: Sami Kerola <kerolasa@iki.fi> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-04-18Fix spelling errors using 'codespell' toolAnatol Pomozov1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-16fix style violationsAndrew Gregory1-1/+2
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-13Fix compilation error on clangAllan McRae1-8/+8
This also lead me to notice that in _alpm_gpgme_checksig many things were not being cleaned up. Fix this by having CHECK_ERR goto gpg_error and make the required adjustments. Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-09Import key if needed when installing package from fileAllan McRae1-0/+5
When installing a package with "pacman -U" that has a detached signature, check if the needed key is in the keyring and download if necessary. Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-09Make decode_signature available to the libraryAllan McRae1-2/+3
Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-09Add function to extract key id from signaturesAllan McRae1-0/+113
This does not support all possibilities of RFC4880, but it does cover every key currently used in Arch Linux. Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-09Move key importing into separate functionAllan McRae1-32/+49
This will be useful for checking the availablity of all keys before perfoming validation in sync operations and for downloading a needed key in upgrade operations. Signed-off-by: Allan McRae <allan@archlinux.org>
2013-02-09Make key_in_keychain available in libraryAllan McRae1-3/+4
In preparation for checking key presence and downloading needed keys before conflict checking. Signed-off-by: Allan McRae <allan@archlinux.org>
2013-01-04Fix space between control structure and open parensGerardo Exequiel Pozzi1-1/+1
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-01-04Fix open braces styleGerardo Exequiel Pozzi1-1/+2
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> Signed-off-by: Allan McRae <allan@archlinux.org>
2013-01-03Update copyright year for 2013Allan McRae1-1/+1
Signed-off-by: Allan McRae <allan@archlinux.org>
2012-12-14Fix future signature timestamp warningAllan McRae1-5/+6
The warning given for a signature timstamp being in the future compared to the system time stated the opposite. Also, move this warning to debug output. It is useless in its current form as the package or database that is giving the error is not mentioned and so other debug output is needed to find the offending signature. Signed-off-by: Allan McRae <allan@archlinux.org>
2012-09-18Merge branch 'maint'Dan McGee1-0/+5
2012-09-18signing.c: warn if time went backwardsFlorian Pritz1-0/+5
GPG signatures have a timestamp which is checked and if it's in the future, verification will fail. Dan: slight wording change. Signed-off-by: Florian Pritz <bluewind@xinu.at>
2012-04-12Merge branch 'maint'Dan McGee1-2/+2
2012-04-09Fix issues with unintialized variable value usageDan McGee1-2/+2
Detected by clang scan-build static code analyzer. * Don't attempt to free an uninitialized gpgme key variable * Initialize answer variable before asking frontend a question * Pass by reference instead of value if uninitialized fields are possible in download signal handler code * Ensure we never call strlen() on NULL payload->remote_name value Signed-off-by: Dan McGee <dan@archlinux.org>
2012-04-07Merge branch 'maint'Dan McGee1-3/+12
Conflicts: lib/libalpm/signing.c lib/libalpm/sync.c