packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Break out the signature verification code into a helper function 

This changes nothing in the behaviour, but we want to later re-use
this when we also verify the summary index.
This commit is contained in:
Alexander Larsson 2020-09-10 10:59:44 +02:00
parent 598adc457f
commit 1f1ef4c989
1 changed files with 79 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
src/libostree/ostree-repo-pull.c
View File

@ -2623,6 +2623,80 @@ validate_variant_is_csum (GVariant *csum,
return ostree_validate_structureof_csum_v (csum, error); return ostree_validate_structureof_csum_v (csum, error);
} }
static gboolean
_ostree_repo_verify_summary (OstreeRepo *self,
const char *name,
gboolean gpg_verify_summary,
GPtrArray *signapi_summary_verifiers,
GBytes *summary,
GBytes *signatures,
GCancellable *cancellable,
GError **error)
{
if (gpg_verify_summary)
{
if (summary == NULL)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND,
"GPG verification enabled, but no summary found (check that the configured URL in remote config is correct)");
return FALSE;
}
if (signatures == NULL)
{
g_set_error (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_NO_SIGNATURE,
"GPG verification enabled, but no summary signatures found (use gpg-verify-summary=false in remote config to disable)");
return FALSE;
}
/* Verify any summary signatures. */
if (summary != NULL && signatures != NULL)
{
g_autoptr(OstreeGpgVerifyResult) result = NULL;
result = ostree_repo_verify_summary (self,
name,
summary,
signatures,
cancellable,
error);
if (!ostree_gpg_verify_result_require_valid_signature (result, error))
return FALSE;
}
}
if (signapi_summary_verifiers)
{
if (summary == NULL)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND,
"Signature verification enabled, but no summary found (check that the configured URL in remote config is correct)");
return FALSE;
}
if (signatures == NULL)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND,
"Signature verification enabled, but no summary signatures found (use sign-verify-summary=false in remote config to disable)");
return FALSE;
}
/* Verify any summary signatures. */
if (summary != NULL && signatures != NULL)
{
g_autoptr(GVariant) sig_variant = NULL;
sig_variant = g_variant_new_from_bytes (OSTREE_SUMMARY_SIG_GVARIANT_FORMAT,
signatures, FALSE);
if (!_sign_verify_for_remote (signapi_summary_verifiers, summary, sig_variant, NULL, error))
return FALSE;
}
}
return TRUE;
}
static gboolean static gboolean
_ostree_repo_load_cache_summary_file (OstreeRepo *self, _ostree_repo_load_cache_summary_file (OstreeRepo *self,
const char *filename, const char *filename,
@ -6150,71 +6224,16 @@ ostree_repo_remote_fetch_summary_with_options (OstreeRepo *self,
if (!ostree_repo_remote_get_gpg_verify_summary (self, name, &gpg_verify_summary, error)) if (!ostree_repo_remote_get_gpg_verify_summary (self, name, &gpg_verify_summary, error))
goto out; goto out;
if (gpg_verify_summary)
{
if (summary == NULL)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND,
"GPG verification enabled, but no summary found (check that the configured URL in remote config is correct)");
goto out;
}
if (signatures == NULL)
{
g_set_error (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_NO_SIGNATURE,
"GPG verification enabled, but no summary signatures found (use gpg-verify-summary=false in remote config to disable)");
goto out;
}
/* Verify any summary signatures. */
if (summary != NULL && signatures != NULL)
{
g_autoptr(OstreeGpgVerifyResult) result = NULL;
result = ostree_repo_verify_summary (self,
name,
summary,
signatures,
cancellable,
error);
if (!ostree_gpg_verify_result_require_valid_signature (result, error))
goto out;
}
}
if (!_signapi_init_for_remote (self, name, NULL, if (!_signapi_init_for_remote (self, name, NULL,
&signapi_summary_verifiers, &signapi_summary_verifiers,
error)) error))
goto out; goto out;
if (signapi_summary_verifiers) if (!_ostree_repo_verify_summary (self, name,
{ gpg_verify_summary, signapi_summary_verifiers,
if (summary == NULL) summary, signatures,
{ cancellable, error))
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND, goto out;
"Signature verification enabled, but no summary found (check that the configured URL in remote config is correct)");
goto out;
}
if (signatures == NULL)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND,
"Signature verification enabled, but no summary signatures found (use sign-verify-summary=false in remote config to disable)");
goto out;
}
/* Verify any summary signatures. */
if (summary != NULL && signatures != NULL)
{
g_autoptr(GVariant) sig_variant = NULL;
sig_variant = g_variant_new_from_bytes (OSTREE_SUMMARY_SIG_GVARIANT_FORMAT,
signatures, FALSE);
if (!_sign_verify_for_remote (signapi_summary_verifiers, summary, sig_variant, NULL, error))
goto out;
}
}
if (!summary_is_from_cache && summary && signatures) if (!summary_is_from_cache && summary && signatures)
{ {