summaryrefslogtreecommitdiff
path: root/lib/libalpm/signing.c
Commit message (Collapse)AuthorAge
* Add more info to debug key displayDan McGee2011-08-28
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Refactor signature result return formatDan McGee2011-08-28
| | | | | | | | | | | | | | | | | | | I was trying to take a shortcut and not introduce a wrapper struct for the signature results, so packed it all into alpm_sigresult_t in the first iteration. However, this is painful when one wants to add new fields or only return information regarding a single signature. Refactor the type into a few components which are exposed to the end user, and will allow a lot more future flexibility. This also exposes more information regarding the key to the frontend than was previously available. The "private" void *data pointer is used by the library to store the actual key object returned by gpgme; it is typed this way so the frontend has no expectations of what is there, and so we don't have any hard gpgme requirement in our public API. Signed-off-by: Dan McGee <dan@archlinux.org>
* lib/libalpm/signing.c: Fix memory leak in decode_signature() in case of error.Diogo Sousa2011-08-28
| | | | | Signed-off-by: Diogo Sousa <diogogsousa@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org>
* Always process validity value returned by gpgmeDan McGee2011-08-25
| | | | | | | Don't force 'never'; you should be checking both the status and validity anyway. Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix small memory leak in sig check codeDan McGee2011-08-25
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Remove argument from check_pgp_helperDan McGee2011-08-25
| | | | | | | This one wasn't all that necessary as we only used it in one place in the function, which can be checked easily enough at the call site. Signed-off-by: Dan McGee <dan@archlinux.org>
* Remove alpm_option_get_* usage from backendDan McGee2011-08-19
| | | | | | These are all available directly on the handle without indirection. Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix compilation using --without-gpgmeDan McGee2011-08-16
| | | | | | | This function is used regardless of whether gpgme support is enabled, so make sure it is always accessible. Signed-off-by: Dan McGee <dan@archlinux.org>
* Only check necessary signatures and checksumsDan McGee2011-08-15
| | | | | | | | | | | The precedence goes as follows: signature > sha256sum > md5sum Add some logic and helper methods to check what we have available when loading a package, and then only check what is necessary to verify the package. This should speed up sync database verifies as we no longer will be doing both a checksum and a signature validation. Signed-off-by: Dan McGee <dan@archlinux.org>
* decode_signature: guess signature data length for efficiencyDan McGee2011-08-15
| | | | | | | | | We may end up allocating 1 or 2 extra bytes this way, but it is worth it to simplify the method and not have to call base64_decode() a second time. Use the hueristic that base64 encoding produces 3 bytes of decoded data for every 4 bytes of encoded data. Signed-off-by: Dan McGee <dan@archlinux.org>
* Update base64 PolarSSL codeDan McGee2011-08-15
| | | | | | | Also adjust our code using it for the size_t adjustments made by upstream. Signed-off-by: Dan McGee <dan@archlinux.org>
* Revamp signing checksDan McGee2011-07-28
| | | | | | | | | | | | | This ensures we are actually making correct use of the information gpgme is returning to us. Marginal being allowed was obvious before, but Unknown should deal with trust level, and not the presence or lack thereof of a public key to validate the signature with. Return status and validity information in two separate values so check methods and the frontend can use them independently. For now, we treat expired keys as valid, while expired signatures are invalid. Signed-off-by: Dan McGee <dan@archlinux.org>
* replace access() calls for debug info where applicableFlorian Pritz2011-07-18
| | | | | Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Dan McGee <dan@archlinux.org>
* signing.c: check if needed files are readableFlorian Pritz2011-07-18
| | | | | | | | | If we can't read the keyring, gpgme will output confusing debug information and fail to verify the signature, so we should log some debug information. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix compilation without gpgmeAllan McRae2011-07-18
| | | | | Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
* Allow frontend access to signature verification informationDan McGee2011-07-05
| | | | | | | | | | | | | | | | Show output in -Qip for each package signature, which includes the UID string from the key ("Joe User <joe@example.com>") and the validity of said key. Example output: Signatures : Valid signature from "Dan McGee <dpmcgee@gmail.com>" Unknown signature from "<Key Unknown>" Invalid signature from "Dan McGee <dpmcgee@gmail.com>" Also add a backend alpm_sigresult_cleanup() function since memory allocation took place on this object, and we need some way of freeing it. Signed-off-by: Dan McGee <dan@archlinux.org>
* Correctly check the GPG error codesDan McGee2011-07-05
| | | | | | | | | | The error code is in fact a bitmask value of an error code and an error source, so use the proper function to get only the relevant bits. For the no error case, this shouldn't ever matter, but it bit me when I was trying to compare the error code to other values and wondered why it wasn't working, so set a good example. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: move to new signing verification and return schemeDan McGee2011-07-05
| | | | | | | | | | | | | | | | | This gives us more granularity than the former Never/Optional/Always trifecta. The frontend still uses these values temporarily but that will be changed in a future patch. * Use 'siglevel' consistenly in method names, 'level' as variable name * The level becomes an enum bitmask value for flexibility * Signature check methods now return a array of status codes rather than a simple integer success/failure value. This allows callers to determine whether things such as an unknown signature are valid. * Specific signature error codes mostly disappear in favor of the above returned status code; pm_errno is now set only to PKG_INVALID_SIG or DB_INVALID_SIG as appropriate. Signed-off-by: Dan McGee <dan@archlinux.org>
* Prefix _alpm_errno_t members with ALPMAllan McRae2011-07-02
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* Prefix alpm_loglevel_t members with ALPMAllan McRae2011-07-02
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* signing: check validity of all available signaturesDan McGee2011-06-30
| | | | | | | | Change the check into a loop over all signatures present and returned by GPGME. Also modify the return values and checks slightly now that I know a little bit more about what type of values are returned. Signed-off-by: Dan McGee <dan@archlinux.org>
* Make alpm_db_get_sigverify_level() publicDan McGee2011-06-30
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Rename pmpkg_t to alpm_pkg_tAllan McRae2011-06-28
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* Rename pmdb_t to alpm_db_tAllan McRae2011-06-28
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* Rename pmhandle_t to alpm_handle_tAllan McRae2011-06-28
| | | | Signed-off-by: Allan McRae <allan@archlinux.org>
* API: change 'signaturedir' to 'gpgdir'Dan McGee2011-06-15
| | | | | | | | This is more in line with reality and what we have our makepkg, etc. options named anyway. Original-patch-by: Kerrick Staley <mail@kerrickstaley.com> Signed-off-by: Dan McGee <dan@archlinux.org>
* Rename and rework signing helper methodsDan McGee2011-06-14
| | | | | | | | | | | | | * Don't name static methods with a gpgme_ prefix to avoid confusion with methods provided by the library. These are static and local to our file so just give them sane non-prefixed names. * Rework sigsum_test_bit() to not require assignment. * Don't balk if there is more than one signature available (for now, only check the first). * Fix error codes in publicly visible methods to return -1, not 0, if pkg or db are not provided. Signed-off-by: Dan McGee <dan@archlinux.org>
* Ensure handle is valid and pm_errno is reset when calling into APIDan McGee2011-06-14
| | | | | | | | | | | | | | | | | We didn't do due diligence before and ensure prior pm_errno values weren't influencing what happened in further ALPM calls. I observed one case of early setup code setting pm_errno to PM_ERR_WRONG_ARGS and that flag persisting the entire time we were calling library code. Add a new CHECK_HANDLE() macro that does two things: 1) ensures the handle variable passed to it is non-NULL and 2) clears any existing pm_errno flag set on the handle. This macro can replace many places we used the ASSERT(handle != NULL, ...) pattern before. Several other other places only need a simple 'set to zero' of the pm_errno field. Signed-off-by: Dan McGee <dan@archlinux.org>
* Switch all logging to use handle directlyDan McGee2011-06-13
| | | | | | | This is the last user of our global handle object. Once again the diff is large but the functional changes are not. Signed-off-by: Dan McGee <dan@archlinux.org>
* Move pm_errno onto the handleDan McGee2011-06-13
| | | | | | This involves some serious changes and a very messy diff, unfortunately. Signed-off-by: Dan McGee <dan@archlinux.org>
* Require handle argument to all alpm_option_(get|set)_*() methodsDan McGee2011-06-09
| | | | | | | | This requires a lot of line changes, but not many functional changes as more often than not our handle variable is already available in some fashion. Signed-off-by: Dan McGee <dan@archlinux.org>
* Remove ALPM_LOG_FUNC macroDan McGee2011-06-03
| | | | | | | | | The usefulness of this is rather limited due to it not being compiled into production builds. When you do choose to see the output, it is often overwhelming and not helpful. The best bet is to use a debugger and/or well-placed fprintf() statements. Signed-off-by: Dan McGee <dan@archlinux.org>
* Fix incorrect memory allocation assignmentDan McGee2011-05-04
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Reduce duplicate signing debug code and fix logic conditionDan McGee2011-05-04
| | | | | | | | | | | We had a lot of similar looking code that we can collapse down into a function. This also fixes errors seen when turning on some gcc warnings and implicitly casting away the const-ness of the string. Free the list when we are done with it as well. Also, fix a logic error where we should be checking with &&, not ||. Signed-off-by: Dan McGee <dan@archlinux.org>
* Allow conditional compilation with GPGMEDan McGee2011-04-27
| | | | | | | | | This makes it possible to omit usage of -lgpgme, just as we can do for -lcurl and -lcrypto. Thanks to Rémy Oudompheng for an initial stab at this. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: add more detail to unexpected signature count errorDan McGee2011-04-24
| | | | | | | Do a quick loop and count of the returned data so we can show how many signatures were parsed and read. Signed-off-by: Dan McGee <dan@archlinux.org>
* Enhance GPGME debug outputDan McGee2011-04-24
| | | | | | | | | | Add some lookup functions for nice names for the various types used by the library, and remove some fields that are of little use to us in the debug output. This should make looking at key loading and verification a bit easier, especially in determining what makes up our good and bad criteria. Signed-off-by: Dan McGee <dan@archlinux.org>
* Rein in the complexity of the signature typeDan McGee2011-04-24
| | | | | | | | | | | | | | Given that we offer no transparency into the pmpgpsig_t type, we don't really need to expose it outside of the library, and at this point, we don't need it at all. Don't decode anything except when checking signatures. For packages/files not from a sync database, we now just read the signature file directly anyway. Also push the decoding logic down further into the check method so we don't need this hanging out in a less than ideal place. This will make it easier to conditionally compile things down the road. Signed-off-by: Dan McGee <dan@archlinux.org>
* signing: let GPGME handle loading signatures from filesDan McGee2011-04-24
| | | | | | | Rather than go through all the hassle of doing this ourselves, just let GPGME handle the work by passing it a file handle. Signed-off-by: Dan McGee <dan@archlinux.org>
* Rename gpgsig struct fields for clarityDan McGee2011-04-20
| | | | Signed-off-by: Dan McGee <dan@archlinux.org>
* Form the signature file location in one placeDan McGee2011-04-20
| | | | | | Since we do this for all cases anyway. Signed-off-by: Dan McGee <dan@archlinux.org>
* syntax: if/while statements should have no trailing spaceDan McGee2011-04-20
| | | | | | | | | | | This is the standard, and we have had a few of these introduced lately that should not be here. Done with: find -name '*.c' | xargs sed -i -e 's#if (#if(#g' find -name '*.c' | xargs sed -i -e 's#while (#while(#g' Signed-off-by: Dan McGee <dan@archlinux.org>
* Allow VerifySig to act as a default verification in [options]Dave Reisner2011-04-20
| | | | | | | | | | * add _alpm_db_get_sigverify_level * add alpm_option_{get,set}_default_sigverify And set the default verification level to OPTIONAL if not set otherwise. Signed-off-by: Dave Reisner <d@falconindy.com> Signed-off-by: Dan McGee <dan@archlinux.org>
* style cleanup: cast as (type *) not (type*)Dave Reisner2011-04-20
| | | | | Signed-off-by: Dave Reisner <d@falconindy.com> Signed-off-by: Dan McGee <dan@archlinux.org>
* Do not reuse old signatureAllan McRae2011-03-23
| | | | | | | After updating a database, remove the old signature to prevent it being used in validation if the new signature fails to download. Signed-off-by: Allan McRae <allan@archlinux.org>
* Refactor signature loading code into common functionDan McGee2011-03-23
| | | | | | | We can use this for both standalone package signatures as well as standalone database signatures. Signed-off-by: Dan McGee <dan@archlinux.org>
* Add functions for verifying database signatureAllan McRae2011-03-23
| | | | | | | | | | | | Add a pmpgpsig_t struct to the database entry struct and functions for the lazy loading of database signatures. Add a function for checking database signatures, reusing (and generalizing) the code currently used for checking package signatures. TODO: The code for reading in signature files from the filesystem is duplicated for local packages and database and needs refactoring. Signed-off-by: Allan McRae <allan@archlinux.org>
* Report output from signature checking to debug logAllan McRae2011-03-23
| | | | | | | | Move the (possibly still temporary) output generated during signature checking into the --debug output. Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
* Added gpg verification options per repo to the config file.Xavier Chantry2011-03-23
| | | | | | | | | | | Once we do this, add support for VerifySig to pactest. We just check if the repo name contains Always, Never or Optional to determine the value of VerifySig. The default is Never. pacman uses Always by default but this is not suitable for pactest. Original-work-by: shankar <jatheendra@gmail.com> Signed-off-by: Xavier Chantry <shiningxc@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org>
* Integrate GPGME into libalpmDan McGee2011-03-23
Signed-off-by: Dan McGee <dan@archlinux.org>