Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libalpm/alpm.h5
-rw-r--r--lib/libalpm/be_sync.c56
-rw-r--r--lib/libalpm/db.c5
-rw-r--r--lib/libalpm/db.h3
-rw-r--r--src/pacman/conf.c16
-rw-r--r--src/util/cleanupdelta.c2
-rw-r--r--src/util/testdb.c2
-rw-r--r--test/pacman/tests/sign001.py4
8 files changed, 71 insertions, 22 deletions
diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h
index 715e502a..eb2eff88 100644
--- a/lib/libalpm/alpm.h
+++ b/lib/libalpm/alpm.h
@@ -357,9 +357,12 @@ alpm_list_t *alpm_option_get_syncdbs(pmhandle_t *handle);
/** Register a sync database of packages.
* @param handle the context handle
* @param treename the name of the sync repository
+ * @param check_sig what level of signature checking to perform on the
+ * database; note that this must be a '.sig' file type verification
* @return a pmdb_t* on success (the value), NULL on error
*/
-pmdb_t *alpm_db_register_sync(pmhandle_t *handle, const char *treename);
+pmdb_t *alpm_db_register_sync(pmhandle_t *handle, const char *treename,
+ pgp_verify_t check_sig);
/** Unregister a package database.
* @param db pointer to the package database to unregister
diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c
index e5fc6a70..2cf90544 100644
--- a/lib/libalpm/be_sync.c
+++ b/lib/libalpm/be_sync.c
@@ -20,7 +20,9 @@
#include "config.h"
+#include <errno.h>
#include <sys/stat.h>
+#include <unistd.h>
/* libarchive */
#include <archive.h>
@@ -65,6 +67,37 @@ static char *get_sync_dir(pmhandle_t *handle)
return syncpath;
}
+static int sync_db_validate(pmdb_t *db)
+{
+ /* this takes into account the default verification level if UNKNOWN
+ * was assigned to this db */
+ pgp_verify_t check_sig = _alpm_db_get_sigverify_level(db);
+
+ if(check_sig != PM_PGP_VERIFY_NEVER) {
+ int ret;
+ const char *dbpath = _alpm_db_path(db);
+ if(!dbpath) {
+ /* pm_errno set in _alpm_db_path() */
+ return -1;
+ }
+
+ /* we can skip any validation if the database doesn't exist */
+ if(access(dbpath, R_OK) != 0 && errno == ENOENT) {
+ return 0;
+ }
+
+ _alpm_log(db->handle, PM_LOG_DEBUG, "checking signature for %s\n",
+ db->treename);
+ ret = _alpm_gpgme_checksig(db->handle, dbpath, NULL);
+ if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) ||
+ (check_sig == PM_PGP_VERIFY_OPTIONAL && ret == 1)) {
+ RET_ERR(db->handle, PM_ERR_SIG_INVALID, -1);
+ }
+ }
+
+ return 0;
+}
+
/** Update a package database
*
* An update of the package database \a db will be attempted. Unless
@@ -144,6 +177,15 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db)
if(ret == 0 && (check_sig == PM_PGP_VERIFY_ALWAYS ||
check_sig == PM_PGP_VERIFY_OPTIONAL)) {
+ /* an existing sig file is no good at this point */
+ char *sigpath = _alpm_db_sig_path(db);
+ if(!sigpath) {
+ ret = -1;
+ break;
+ }
+ unlink(sigpath);
+ free(sigpath);
+
int errors_ok = (check_sig == PM_PGP_VERIFY_OPTIONAL);
/* if we downloaded a DB, we want the .sig from the same server */
snprintf(fileurl, len, "%s/%s.db.sig", server, db->treename);
@@ -173,6 +215,11 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db)
/* Cache needs to be rebuilt */
_alpm_db_free_pkgcache(db);
+ if(sync_db_validate(db)) {
+ /* pm_errno should be set */
+ ret = -1;
+ }
+
cleanup:
free(syncpath);
@@ -523,7 +570,8 @@ struct db_operations sync_db_ops = {
.version = sync_db_version,
};
-pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename)
+pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename,
+ pgp_verify_t level)
{
pmdb_t *db;
@@ -535,6 +583,12 @@ pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename)
}
db->ops = &sync_db_ops;
db->handle = handle;
+ db->pgp_verify = level;
+
+ if(sync_db_validate(db)) {
+ _alpm_db_free(db);
+ return NULL;
+ }
handle->dbs_sync = alpm_list_add(handle->dbs_sync, db);
return db;
diff --git a/lib/libalpm/db.c b/lib/libalpm/db.c
index c3a7abd2..2b50c064 100644
--- a/lib/libalpm/db.c
+++ b/lib/libalpm/db.c
@@ -45,7 +45,8 @@
*/
/** Register a sync database of packages. */
-pmdb_t SYMEXPORT *alpm_db_register_sync(pmhandle_t *handle, const char *treename)
+pmdb_t SYMEXPORT *alpm_db_register_sync(pmhandle_t *handle, const char *treename,
+ pgp_verify_t check_sig)
{
/* Sanity checks */
CHECK_HANDLE(handle, return NULL);
@@ -54,7 +55,7 @@ pmdb_t SYMEXPORT *alpm_db_register_sync(pmhandle_t *handle, const char *treename
/* Do not register a database if a transaction is on-going */
ASSERT(handle->trans == NULL, RET_ERR(handle, PM_ERR_TRANS_NOT_NULL, NULL));
- return _alpm_db_register_sync(handle, treename);
+ return _alpm_db_register_sync(handle, treename, check_sig);
}
/* Helper function for alpm_db_unregister{_all} */
diff --git a/lib/libalpm/db.h b/lib/libalpm/db.h
index e3faeeb4..c5fcd5f0 100644
--- a/lib/libalpm/db.h
+++ b/lib/libalpm/db.h
@@ -77,7 +77,8 @@ int _alpm_db_version(pmdb_t *db);
int _alpm_db_cmp(const void *d1, const void *d2);
alpm_list_t *_alpm_db_search(pmdb_t *db, const alpm_list_t *needles);
pmdb_t *_alpm_db_register_local(pmhandle_t *handle);
-pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename);
+pmdb_t *_alpm_db_register_sync(pmhandle_t *handle, const char *treename,
+ pgp_verify_t level);
void _alpm_db_unregister(pmdb_t *db);
/* be_*.c, backend specific calls */
diff --git a/src/pacman/conf.c b/src/pacman/conf.c
index 081cdd5e..5c2a11d3 100644
--- a/src/pacman/conf.c
+++ b/src/pacman/conf.c
@@ -460,7 +460,7 @@ static int setup_libalpm(void)
ret = alpm_option_set_logfile(handle, config->logfile);
if(ret != 0) {
pm_printf(PM_LOG_ERROR, _("problem setting logfile '%s' (%s)\n"),
- config->logfile, alpm_strerror(alpm_errno(config->handle)));
+ config->logfile, alpm_strerror(alpm_errno(handle)));
return ret;
}
@@ -470,7 +470,7 @@ static int setup_libalpm(void)
ret = alpm_option_set_gpgdir(handle, config->gpgdir);
if(ret != 0) {
pm_printf(PM_LOG_ERROR, _("problem setting gpgdir '%s' (%s)\n"),
- config->gpgdir, alpm_strerror(alpm_errno(config->handle)));
+ config->gpgdir, alpm_strerror(alpm_errno(handle)));
return ret;
}
@@ -542,7 +542,7 @@ static int finish_section(struct section_t *section, int parse_options)
}
/* if we are not looking at options sections only, register a db */
- db = alpm_db_register_sync(config->handle, section->name);
+ db = alpm_db_register_sync(config->handle, section->name, section->sigverify);
if(db == NULL) {
pm_printf(PM_LOG_ERROR, _("could not register '%s' database (%s)\n"),
section->name, alpm_strerror(alpm_errno(config->handle)));
@@ -550,16 +550,6 @@ static int finish_section(struct section_t *section, int parse_options)
goto cleanup;
}
- if(section->sigverify) {
- if(alpm_db_set_pgp_verify(db, section->sigverify)) {
- pm_printf(PM_LOG_ERROR,
- _("could not set verify option for database '%s' (%s)\n"),
- section->name, alpm_strerror(alpm_errno(config->handle)));
- ret = 1;
- goto cleanup;
- }
- }
-
for(i = section->servers; i; i = alpm_list_next(i)) {
char *value = alpm_list_getdata(i);
if(_add_mirror(db, value) != 0) {
diff --git a/src/util/cleanupdelta.c b/src/util/cleanupdelta.c
index 98291706..5ee59dbb 100644
--- a/src/util/cleanupdelta.c
+++ b/src/util/cleanupdelta.c
@@ -75,7 +75,7 @@ static void checkdbs(const char *dbpath, alpm_list_t *dbnames) {
for(i = dbnames; i; i = alpm_list_next(i)) {
char *dbname = alpm_list_getdata(i);
snprintf(syncdbpath, PATH_MAX, "%s/sync/%s", dbpath, dbname);
- db = alpm_db_register_sync(handle, dbname);
+ db = alpm_db_register_sync(handle, dbname, PM_PGP_VERIFY_OPTIONAL);
if(db == NULL) {
fprintf(stderr, "error: could not register sync database (%s)\n",
alpm_strerror(alpm_errno(handle)));
diff --git a/src/util/testdb.c b/src/util/testdb.c
index 4937480d..af5007e2 100644
--- a/src/util/testdb.c
+++ b/src/util/testdb.c
@@ -151,7 +151,7 @@ static int check_syncdbs(alpm_list_t *dbnames) {
for(i = dbnames; i; i = alpm_list_next(i)) {
char *dbname = alpm_list_getdata(i);
- db = alpm_db_register_sync(handle, dbname);
+ db = alpm_db_register_sync(handle, dbname, PM_PGP_VERIFY_OPTIONAL);
if(db == NULL) {
fprintf(stderr, "error: could not register sync database (%s)\n",
alpm_strerror(alpm_errno(handle)));
diff --git a/test/pacman/tests/sign001.py b/test/pacman/tests/sign001.py
index 0ae417b7..14add09c 100644
--- a/test/pacman/tests/sign001.py
+++ b/test/pacman/tests/sign001.py
@@ -1,8 +1,8 @@
-self.description = "Add a signature to a package DB"
+self.description = "Add a bogus signature to a package DB"
sp = pmpkg("pkg1")
sp.pgpsig = "asdfasdfsdfasdfsdafasdfsdfasd"
-self.addpkg2db("sync+Always", sp)
+self.addpkg2db("sync+Optional", sp)
self.args = "-Ss"