summaryrefslogtreecommitdiff
path: root/lib/libalpm/signing.c
Commit message (Collapse)AuthorAge
* Fix issues with unintialized variable value usageDan McGee2012-04-09
| | | | | | | | | | | | Detected by clang scan-build static code analyzer. * Don't attempt to free an uninitialized gpgme key variable * Initialize answer variable before asking frontend a question * Pass by reference instead of value if uninitialized fields are possible in download signal handler code * Ensure we never call strlen() on NULL payload->remote_name value Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: cope with gpg2's failure at lifeDave Reisner2012-03-28
| | | | | | | | For key searches only, gpg2 will fail to lookup any and all keys that are not prefixed with 0x. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
* Update copyright on changed files since beginning of yearDan McGee2012-01-18
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Search for PGP subkeys in a keyserver-acceptable wayDan McGee2012-01-05
| | | | | | | | | | | | | | PGP keyservers are pieces of sh** when it comes to searching for subkeys, and only allow it if you submit an 8-character fingerprint rather than the recommended and less chance of collision 16-character fingerprint. Add a second remote lookup for the 8-character version of a key ID if we don't find anything the first time we look up the key. This fixes FS#27612 and the deficiency has been sent upstream to the GnuPG users mailing list as well. Signed-off-by: Dan McGee <dan@archlinux.org>
* Show an error message on failed remote key lookupDan McGee2011-10-17
| | | | | | | | | | | | | The absolutely terrible part about this is the failure on GPGME's part to distinguish between "key not found" and "keyserver timeout". Instead, it returns the same silly GPG_ERR_EOF in both cases (why isn't GPG_ERR_TIMEOUT being used?), leaving us helpless to tell them apart. Spit out a generic enough error message that covers both cases; unfortunately we can't provide much guidance to the user because we aren't sure what actually happened. Signed-off-by: Dan McGee <dan@archlinux.org>
* Add user-visible warning message if public keyring not foundDan McGee2011-10-12
| | | | | | | This should help point users in the right direction if they have not initialized via pacman-key just yet. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: delay gpgme_init() until latest possible momentDan McGee2011-10-12
| | | | | | | | | | | | | | In the default configuration, we can enter the signing code but still have nothing to do with GPGME- for example, if database signatures are optional but none are present. Delay initialization of GPGME until we know there is a signature file present or we were passed base64-encoded data. This also makes debugging with valgrind a lot easier as you don't have to deal with all the GPGME error noise because their code leaks like a sieve. Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix compilation using --without-gpgmeDan McGee2011-09-27
| | | | | | | I'm really good at breaking this on a regular basis. If only we had some sort of automated testing for this... Signed-off-by: Dan McGee <dan@archlinux.org>
* Remove unnecessary loggerDan McGee2011-09-27
| | | | | | | This is just a wrapper function; the real function we call logs an almost identical line. Signed-off-by: Dan McGee <dan@archlinux.org>
* Update Doxyfile and fix some documentation errors caught by DoxygenDan McGee2011-09-22
| | | | | | | A few parameters were outdated or wrongly named, and a few things were explicitly linked that Doxygen wasn't able to resolve. Signed-off-by: Dan McGee <dan@archlinux.org>
* Handle key import errors correctly and with good error messagesDan McGee2011-09-22
| | | | | | | | | This adds calls to gpgme_op_import_result() which we were not looking at before to ensure the key was actually imported. Additionally, we do some preemptive checks to ensure the keyring is even writable if we are going to prompt the user to add things to it. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: be consistent with returning -1 for error casesDan McGee2011-09-22
| | | | | | | | This also fixes a segfault found by dave when key_search is unsuccessful; the key_search return code documentation has also been updated to reflect reality. Signed-off-by: Dan McGee <dan@archlinux.org>
* Add status and check for key being disabledDan McGee2011-09-22
| | | | | | | | | | Because we aren't using gpgv and a dedicated keyring that is known to be all safe, we should honor this flag being set on a given key in the keyring to know to not honor it. This prevents a key from being reimported that a user does not want to be used- instead of deleting, one should mark it as disabled. Signed-off-by: Dan McGee <dan@archlinux.org>
* Implement PGP key search and importDan McGee2011-09-22
| | | | | | | | | | | | | | | Add two new static methods, key_search() and key_import(), to our growing list of signing code. If we come across a key we do not have, attempt to look it up remotely and ask the user if they wish to import said key. If they do, flag the validation process as a potential 'retry', meaning it might succeed the next time it is ran. These depend on you having a 'keyserver hkp://foo.example.com' line in your gpg.conf file in your gnupg home directory to function. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: document most undocumented functionsDan McGee2011-09-22
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix possible segfault if siglist was emptyDan McGee2011-09-22
| | | | | | | | If siglist->results wasn't a NULL pointer, we would try to free it anyway, even if siglist->count was zero. Only attempt to free this pointer if we had results and the pointer is valid. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: add a process and retry loop for database signaturesDan McGee2011-09-20
| | | | | | | | | | | | | | | | | | | | | | | In reality, there is no retrying that happens as of now because we don't have any import or changing of the keyring going on, but the code is set up so we can drop this in our new _alpm_process_siglist() function. Wire up the basics to the sync database validation code, so we see something like the following: $ pacman -Ss unknowntrust error: core: signature from "Dan McGee <dpmcgee@gmail.com>" is unknown trust error: core: signature from "Dan McGee <dpmcgee@gmail.com>" is unknown trust error: database 'core' is not valid (invalid or corrupted database (PGP signature)) $ pacman -Ss missingsig error: core: missing required signature error: core: missing required signature error: database 'core' is not valid (invalid or corrupted database (PGP signature)) Yes, there is some double output, but this should be fixable in the future. Signed-off-by: Dan McGee <dan@archlinux.org>
* Allow our PGP helper method to pass back the signature resultsDan McGee2011-09-20
| | | | | | | This will make its way up the call chain eventually to allow trusting and importing of keys as necessary. Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix build without gpgmeDan McGee2011-09-18
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* More package operations cleanupDan McGee2011-09-02
| | | | | | | | Neither deltas nor filename attributes are ever present in the local database, so we can remove all of the indirection for accessing these attributes. Signed-off-by: Dan McGee <dan@archlinux.org>
* Add more info to debug key displayDan McGee2011-08-28
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Refactor signature result return formatDan McGee2011-08-28
| | | | | | | | | | | | | | | | | | | I was trying to take a shortcut and not introduce a wrapper struct for the signature results, so packed it all into alpm_sigresult_t in the first iteration. However, this is painful when one wants to add new fields or only return information regarding a single signature. Refactor the type into a few components which are exposed to the end user, and will allow a lot more future flexibility. This also exposes more information regarding the key to the frontend than was previously available. The "private" void *data pointer is used by the library to store the actual key object returned by gpgme; it is typed this way so the frontend has no expectations of what is there, and so we don't have any hard gpgme requirement in our public API. Signed-off-by: Dan McGee <dan@archlinux.org>
* lib/libalpm/signing.c: Fix memory leak in decode_signature() in case of error.Diogo Sousa2011-08-28
| | | | | Signed-off-by: Diogo Sousa <diogogsousa@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org>
* Always process validity value returned by gpgmeDan McGee2011-08-25
| | | | | | | Don't force 'never'; you should be checking both the status and validity anyway. Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix small memory leak in sig check codeDan McGee2011-08-25
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Remove argument from check_pgp_helperDan McGee2011-08-25
| | | | | | | This one wasn't all that necessary as we only used it in one place in the function, which can be checked easily enough at the call site. Signed-off-by: Dan McGee <dan@archlinux.org>
* Remove alpm_option_get_* usage from backendDan McGee2011-08-19
| | | | | | These are all available directly on the handle without indirection. Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix compilation using --without-gpgmeDan McGee2011-08-16
| | | | | | | This function is used regardless of whether gpgme support is enabled, so make sure it is always accessible. Signed-off-by: Dan McGee <dan@archlinux.org>
* Only check necessary signatures and checksumsDan McGee2011-08-15
| | | | | | | | | | | The precedence goes as follows: signature > sha256sum > md5sum Add some logic and helper methods to check what we have available when loading a package, and then only check what is necessary to verify the package. This should speed up sync database verifies as we no longer will be doing both a checksum and a signature validation. Signed-off-by: Dan McGee <dan@archlinux.org>
* decode_signature: guess signature data length for efficiencyDan McGee2011-08-15
| | | | | | | | | We may end up allocating 1 or 2 extra bytes this way, but it is worth it to simplify the method and not have to call base64_decode() a second time. Use the hueristic that base64 encoding produces 3 bytes of decoded data for every 4 bytes of encoded data. Signed-off-by: Dan McGee <dan@archlinux.org>
* Update base64 PolarSSL codeDan McGee2011-08-15
| | | | | | | Also adjust our code using it for the size_t adjustments made by upstream. Signed-off-by: Dan McGee <dan@archlinux.org>
* Revamp signing checksDan McGee2011-07-28
| | | | | | | | | | | | | This ensures we are actually making correct use of the information gpgme is returning to us. Marginal being allowed was obvious before, but Unknown should deal with trust level, and not the presence or lack thereof of a public key to validate the signature with. Return status and validity information in two separate values so check methods and the frontend can use them independently. For now, we treat expired keys as valid, while expired signatures are invalid. Signed-off-by: Dan McGee <dan@archlinux.org>
* replace access() calls for debug info where applicableFlorian Pritz2011-07-18
| | | | | Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Dan McGee <dan@archlinux.org>
* signing.c: check if needed files are readableFlorian Pritz2011-07-18
| | | | | | | | | If we can't read the keyring, gpgme will output confusing debug information and fail to verify the signature, so we should log some debug information. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix compilation without gpgmeAllan McRae2011-07-18
| | | | | Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
* Allow frontend access to signature verification informationDan McGee2011-07-05
| | | | | | | | | | | | | | | | Show output in -Qip for each package signature, which includes the UID string from the key ("Joe User <joe@example.com>") and the validity of said key. Example output: Signatures : Valid signature from "Dan McGee <dpmcgee@gmail.com>" Unknown signature from "<Key Unknown>" Invalid signature from "Dan McGee <dpmcgee@gmail.com>" Also add a backend alpm_sigresult_cleanup() function since memory allocation took place on this object, and we need some way of freeing it. Signed-off-by: Dan McGee <dan@archlinux.org>
* Correctly check the GPG error codesDan McGee2011-07-05
| | | | | | | | | | The error code is in fact a bitmask value of an error code and an error source, so use the proper function to get only the relevant bits. For the no error case, this shouldn't ever matter, but it bit me when I was trying to compare the error code to other values and wondered why it wasn't working, so set a good example. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: move to new signing verification and return schemeDan McGee2011-07-05
| | | | | | | | | | | | | | | | | This gives us more granularity than the former Never/Optional/Always trifecta. The frontend still uses these values temporarily but that will be changed in a future patch. * Use 'siglevel' consistenly in method names, 'level' as variable name * The level becomes an enum bitmask value for flexibility * Signature check methods now return a array of status codes rather than a simple integer success/failure value. This allows callers to determine whether things such as an unknown signature are valid. * Specific signature error codes mostly disappear in favor of the above returned status code; pm_errno is now set only to PKG_INVALID_SIG or DB_INVALID_SIG as appropriate. Signed-off-by: Dan McGee <dan@archlinux.org>
* Prefix _alpm_errno_t members with ALPMAllan McRae2011-07-02
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* Prefix alpm_loglevel_t members with ALPMAllan McRae2011-07-02
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* signing: check validity of all available signaturesDan McGee2011-06-30
| | | | | | | | Change the check into a loop over all signatures present and returned by GPGME. Also modify the return values and checks slightly now that I know a little bit more about what type of values are returned. Signed-off-by: Dan McGee <dan@archlinux.org>
* Make alpm_db_get_sigverify_level() publicDan McGee2011-06-30
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Rename pmpkg_t to alpm_pkg_tAllan McRae2011-06-28
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* Rename pmdb_t to alpm_db_tAllan McRae2011-06-28
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* Rename pmhandle_t to alpm_handle_tAllan McRae2011-06-28
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* API: change 'signaturedir' to 'gpgdir'Dan McGee2011-06-15
| | | | | | | | This is more in line with reality and what we have our makepkg, etc. options named anyway. Original-patch-by: Kerrick Staley <mail@kerrickstaley.com> Signed-off-by: Dan McGee <dan@archlinux.org>
* Rename and rework signing helper methodsDan McGee2011-06-14
| | | | | | | | | | | | | * Don't name static methods with a gpgme_ prefix to avoid confusion with methods provided by the library. These are static and local to our file so just give them sane non-prefixed names. * Rework sigsum_test_bit() to not require assignment. * Don't balk if there is more than one signature available (for now, only check the first). * Fix error codes in publicly visible methods to return -1, not 0, if pkg or db are not provided. Signed-off-by: Dan McGee <dan@archlinux.org>
* Ensure handle is valid and pm_errno is reset when calling into APIDan McGee2011-06-14
| | | | | | | | | | | | | | | | | We didn't do due diligence before and ensure prior pm_errno values weren't influencing what happened in further ALPM calls. I observed one case of early setup code setting pm_errno to PM_ERR_WRONG_ARGS and that flag persisting the entire time we were calling library code. Add a new CHECK_HANDLE() macro that does two things: 1) ensures the handle variable passed to it is non-NULL and 2) clears any existing pm_errno flag set on the handle. This macro can replace many places we used the ASSERT(handle != NULL, ...) pattern before. Several other other places only need a simple 'set to zero' of the pm_errno field. Signed-off-by: Dan McGee <dan@archlinux.org>
* Switch all logging to use handle directlyDan McGee2011-06-13
| | | | | | | This is the last user of our global handle object. Once again the diff is large but the functional changes are not. Signed-off-by: Dan McGee <dan@archlinux.org>
* Move pm_errno onto the handleDan McGee2011-06-13
| | | | | | This involves some serious changes and a very messy diff, unfortunately. Signed-off-by: Dan McGee <dan@archlinux.org>