lib/gpg: Provide the public key to the duplicate check

Add keys from the signing homedir to the GpgVerifier used to look for duplicate signatures. This will allow signatures from subkeys to be canonicalised and recognised as already signed despite the differing key ID, avoiding duplicate signatures. Closes: https://github.com/ostreedev/ostree/issues/608 Closes: #1092 Approved by: cgwalters
2017-08-03 10:54:33 +01:00 · 2017-08-03 10:54:33 +01:00 · 59dff7175e
parent 6b6408a7d0
commit 59dff7175e
1 changed files with 5 additions and 2 deletions
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@ -4261,11 +4261,14 @@ ostree_repo_sign_commit (OstreeRepo     *self,

  /* The verify operation is merely to parse any existing signatures to
   * check if the commit has already been signed with the given key ID.
-   * We want to avoid storing duplicate signatures in the metadata. */
+   * We want to avoid storing duplicate signatures in the metadata. We
+   * pass the homedir so that the signing key can be imported, allowing
+   * subkey signatures to be recognised. */
  g_autoptr(GError) local_error = NULL;
+  g_autoptr(GFile) verify_keydir = g_file_new_for_path (homedir);
  g_autoptr(OstreeGpgVerifyResult) result
    =_ostree_repo_gpg_verify_with_metadata (self, commit_data, old_metadata,
-                                            NULL, NULL, NULL,
+                                            NULL, verify_keydir, NULL,
                                            cancellable, &local_error);
  if (!result)
    {