Fallback to detached signatures during keyring check

Pacman has a 'key in keyring' verification step that makes sure the signatures
have a valid keyid. Currently pacman parses embedded package signatures only.

Add a fallback to detached signatures. If embedded signature is missing then it
tries to read corresponding *.sig file and get keyid from there.

Verification:
  debug: found cached pkg: /var/cache/pacman/pkg/glib-networking-2.64.3-1-x86_64.pkg.tar.zst
  debug: found detached signature /var/cache/pacman/pkg/glib-networking-2.64.3-1-x86_64.pkg.tar.zst.sig with size 310
  debug: found signature key: A5E9288C4FA415FA
  debug: looking up key A5E9288C4FA415FA locally
  debug: key lookup success, key exists

Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h
index 977c292c..614a530c 100644
--- a/lib/libalpm/alpm.h
+++ b/lib/libalpm/alpm.h
@@ -1405,6 +1405,17 @@ alpm_db_t *alpm_pkg_get_db(alpm_pkg_t *pkg);
  */
 const char *alpm_pkg_get_base64_sig(alpm_pkg_t *pkg);
 
+/** Extracts package signature either from embedded package signature
+ * or if it is absent then reads data from detached signature file.
+ * @param pkg a pointer to package.
+ * @param sig output parameter for signature data. Callee function allocates
+ * a buffer needed for the signature data. Caller is responsible for
+ * freeing this buffer.
+ * @param sig_len output parameter for the signature data length.
+ * @return 0 on success, negative number on error.
+ */
+int alpm_pkg_get_sig(alpm_pkg_t *pkg, unsigned char **sig, size_t *sig_len);
+
 /** Returns the method used to validate a package during install.
  * @param pkg a pointer to package
  * @return an enum member giving the validation method