diff options
| -rw-r--r-- | lib/libalpm/alpm.h | 9 | ||||
| -rw-r--r-- | lib/libalpm/db.c | 18 | ||||
| -rw-r--r-- | lib/libalpm/db.h | 1 | ||||
| -rw-r--r-- | lib/libalpm/signing.c | 2 | ||||
| -rw-r--r-- | lib/libalpm/sync.c | 19 | ||||
| -rw-r--r-- | src/pacman/pacman.c | 18 | ||||
| -rwxr-xr-x | test/pacman/pmdb.py | 6 | ||||
| -rw-r--r-- | test/pacman/tests/sign001.py | 2 | ||||
| -rw-r--r-- | test/pacman/tests/sign002.py | 2 | ||||
| -rwxr-xr-x | test/pacman/util.py | 3 | 
10 files changed, 72 insertions, 8 deletions
| diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index 150730ce..276d49cb 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -251,6 +251,15 @@ alpm_list_t *alpm_pkg_unused_deltas(pmpkg_t *pkg);  int alpm_pkg_check_pgp_signature(pmpkg_t *pkg); +/* GPG signature verification option */ +typedef enum _pgp_verify_t { +	PM_PGP_VERIFY_ALWAYS, +	PM_PGP_VERIFY_OPTIONAL, +	PM_PGP_VERIFY_NEVER +} pgp_verify_t; + +int alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify); +  /*   * Deltas   */ diff --git a/lib/libalpm/db.c b/lib/libalpm/db.c index cb575c8a..f61ea918 100644 --- a/lib/libalpm/db.c +++ b/lib/libalpm/db.c @@ -181,6 +181,24 @@ int SYMEXPORT alpm_db_setserver(pmdb_t *db, const char *url)  	return 0;  } +/** Set the verify gpg signature option for a database. + * @param db database pointer + * @param verify enum pgp_verify_t + * @return 0 on success, -1 on error (pm_errno is set accordingly) + */ +int SYMEXPORT alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify) +{ +	ALPM_LOG_FUNC; + +	/* Sanity checks */ +	ASSERT(db != NULL, RET_ERR(PM_ERR_DB_NULL, -1)); + +	db->pgp_verify = verify; +	_alpm_log(PM_LOG_DEBUG, "adding VerifySig option to database '%s': %d\n", +			db->treename, verify); + +	return(0); +}  /** Get the name of a package database   * @param db pointer to the package database diff --git a/lib/libalpm/db.h b/lib/libalpm/db.h index 75776d71..dfd9f933 100644 --- a/lib/libalpm/db.h +++ b/lib/libalpm/db.h @@ -60,6 +60,7 @@ struct __pmdb_t {  	pmpkghash_t *pkgcache;  	alpm_list_t *grpcache;  	alpm_list_t *servers; +	pgp_verify_t pgp_verify;  	struct db_operations *ops;  }; diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 27855798..08e9b297 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -168,6 +168,8 @@ int _alpm_gpgme_checksig(const char *pkgpath, const pmpgpsig_t *sig)  	if(gpgsig->summary & GPGME_SIGSUM_VALID) {  		/* good signature, continue */ +		_alpm_log(PM_LOG_DEBUG, _("Package %s has a valid signature.\n"), +				pkgpath);  	} else if(gpgsig->summary & GPGME_SIGSUM_GREEN) {  		/* 'green' signature, not sure what to do here */  		_alpm_log(PM_LOG_WARNING, _("Package %s has a green signature.\n"), diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 5e7cf293..5428e40b 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -847,11 +847,17 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data)  			continue;  		}  		/* check PGP signature next */ -		if(_alpm_gpgme_checksig(filepath, pgpsig) != 0) { -			errors++; -			*data = alpm_list_add(*data, strdup(filename)); -			FREE(filepath); -			continue; +		pmdb_t *sdb = alpm_pkg_get_db(spkg); + +		if(sdb->pgp_verify != PM_PGP_VERIFY_NEVER) { +			int ret = _alpm_gpgme_checksig(filepath, pgpsig); +			if((sdb->pgp_verify == PM_PGP_VERIFY_ALWAYS && ret != 0) || +					(sdb->pgp_verify == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { +				errors++; +				*data = alpm_list_add(*data, strdup(filename)); +				FREE(filepath); +				continue; +			}  		}  		/* load the package file and replace pkgcache entry with it in the target list */  		/* TODO: alpm_pkg_get_db() will not work on this target anymore */ @@ -869,9 +875,12 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data)  		i->data = pkgfile;  		_alpm_pkg_free_trans(spkg); /* spkg has been removed from the target list */  	} +  	PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", 100,  			numtargs, current);  	EVENT(trans, PM_TRANS_EVT_INTEGRITY_DONE, NULL, NULL); + +  	if(errors) {  		pm_errno = PM_ERR_PKG_INVALID;  		goto error; diff --git a/src/pacman/pacman.c b/src/pacman/pacman.c index 706e97be..0487ee87 100644 --- a/src/pacman/pacman.c +++ b/src/pacman/pacman.c @@ -1241,6 +1241,24 @@ static int _parseconfig(const char *file, const char *givensection,  					ret = 1;  					goto cleanup;  				} +			} else if(strcmp(key, "VerifySig") == 0) { +				if (strcmp(value, "Always") == 0) { +					ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_ALWAYS); +				} else if (strcmp(value, "Optional") == 0) { +					ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_OPTIONAL); +				} else if (strcmp(value, "Never") == 0) { +					ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_NEVER); +				} else { +					pm_printf(PM_LOG_ERROR, _("invalid value for 'VerifySig' : '%s'\n"), value); +					ret = 1; +					goto cleanup; +				} +				if (ret != 0) { +					pm_printf(PM_LOG_ERROR, _("could not add pgp verify option to database '%s': %s (%s)\n"), +							alpm_db_get_name(db), value, alpm_strerrorlast()); +					goto cleanup; +				} +				pm_printf(PM_LOG_DEBUG, "config: VerifySig for %s: %s\n",alpm_db_get_name(db), value);  			} else {  				pm_printf(PM_LOG_WARNING,  						_("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"), diff --git a/test/pacman/pmdb.py b/test/pacman/pmdb.py index fefb135a..1af24ae9 100755 --- a/test/pacman/pmdb.py +++ b/test/pacman/pmdb.py @@ -89,6 +89,12 @@ class pmdb(object):      def __str__(self):          return "%s" % self.treename +    def getverify(self): +        for value in "Always","Never","Optional": +            if value in self.treename: +                return value +        return "Never" +      def getpkg(self, name):          """          """ diff --git a/test/pacman/tests/sign001.py b/test/pacman/tests/sign001.py index 447cea1e..0ae417b7 100644 --- a/test/pacman/tests/sign001.py +++ b/test/pacman/tests/sign001.py @@ -2,7 +2,7 @@ self.description = "Add a signature to a package DB"  sp = pmpkg("pkg1")  sp.pgpsig = "asdfasdfsdfasdfsdafasdfsdfasd" -self.addpkg2db("sync", sp) +self.addpkg2db("sync+Always", sp)  self.args = "-Ss" diff --git a/test/pacman/tests/sign002.py b/test/pacman/tests/sign002.py index 7b098c0d..b55f331e 100644 --- a/test/pacman/tests/sign002.py +++ b/test/pacman/tests/sign002.py @@ -2,7 +2,7 @@ self.description = "Verify a signature in a sync DB (failure)"  sp = pmpkg("pkg1")  sp.pgpsig = "iEYEABECAAYFAkhMOggACgkQXC5GoPU6du2WVQCffVxF8GKXJIY4juJBIw/ljLrQxygAnj2QlvsUd7MdFekLX18+Ov/xzgZ1" -self.addpkg2db("sync", sp) +self.addpkg2db("sync+Always", sp)  self.args = "-S %s" % sp.name diff --git a/test/pacman/util.py b/test/pacman/util.py index b771a345..47255923 100755 --- a/test/pacman/util.py +++ b/test/pacman/util.py @@ -132,8 +132,9 @@ def mkcfgfile(filename, root, option, db):          if key != "local":              value = db[key]              data.append("[%s]\n" \ +                    "VerifySig = %s\n" \                      "Server = file://%s" \ -                     % (value.treename, +                     % (value.treename, value.getverify(), \                          os.path.join(root, SYNCREPO, value.treename)))              for optkey, optval in value.option.iteritems():                  data.extend(["%s = %s" % (optkey, j) for j in optval]) | 
