packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

repo: Change GPG verification policy 

The global keyring directory (trusted.gpg.d) is deprecated.  Only use it
when a specified remote does NOT have its own keyring, or when verifying
local repository objects.

Note, because mixing in the global keyring directory is now an explicit
choice, OstreeGpgVerifier no longer needs to implement GInitableIface.
This commit is contained in:
Matthew Barnes 2015-06-05 12:45:41 -04:00
parent 4f6f97caf0
commit 9f1b50d41c
3 changed files with 56 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
src/libostree/ostree-gpg-verifier.c
View File

@ -40,10 +40,7 @@ struct OstreeGpgVerifier {
GList *keyrings;
};
static void _ostree_gpg_verifier_initable_iface_init (GInitableIface *iface);
G_DEFINE_TYPE_WITH_CODE (OstreeGpgVerifier, _ostree_gpg_verifier, G_TYPE_OBJECT,
G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE, _ostree_gpg_verifier_initable_iface_init))
G_DEFINE_TYPE (OstreeGpgVerifier, _ostree_gpg_verifier, G_TYPE_OBJECT)
static void
ostree_gpg_verifier_finalize (GObject *object)
@ -71,42 +68,6 @@ _ostree_gpg_verifier_init (OstreeGpgVerifier *self)
{
}
static gboolean
ostree_gpg_verifier_initable_init (GInitable *initable,
GCancellable *cancellable,
GError **error)
{
gboolean ret = FALSE;
OstreeGpgVerifier *self = (OstreeGpgVerifier*)initable;
const char *default_keyring_path = g_getenv ("OSTREE_GPG_HOME");
g_autoptr(GFile) default_keyring_dir = NULL;
if (!default_keyring_path)
default_keyring_path = DATADIR "/ostree/trusted.gpg.d/";
if (g_file_test (default_keyring_path, G_FILE_TEST_IS_DIR))
{
default_keyring_dir = g_file_new_for_path (default_keyring_path);
if (!_ostree_gpg_verifier_add_keyring_dir (self, default_keyring_dir,
cancellable, error))
{
g_prefix_error (error, "Reading keyring directory '%s'",
gs_file_get_path_cached (default_keyring_dir));
goto out;
}
}
ret = TRUE;
out:
return ret;
}
static void
_ostree_gpg_verifier_initable_iface_init (GInitableIface *iface)
{
iface->init = ostree_gpg_verifier_initable_init;
}
static void
verify_result_finalized_cb (gpointer data,
GObject *finalized_verify_result)
@ -323,9 +284,40 @@ _ostree_gpg_verifier_add_keyring_dir (OstreeGpgVerifier *self,
return ret;
}
OstreeGpgVerifier*
_ostree_gpg_verifier_new (GCancellable *cancellable,
GError **error)
gboolean
_ostree_gpg_verifier_add_global_keyring_dir (OstreeGpgVerifier *self,
GCancellable *cancellable,
GError **error)
{
return g_initable_new (OSTREE_TYPE_GPG_VERIFIER, cancellable, error, NULL);
const char *global_keyring_path = g_getenv ("OSTREE_GPG_HOME");
g_autoptr(GFile) global_keyring_dir = NULL;
gboolean ret = FALSE;
g_return_val_if_fail (OSTREE_IS_GPG_VERIFIER (self), FALSE);
if (global_keyring_path == NULL)
global_keyring_path = DATADIR "/ostree/trusted.gpg.d/";
if (g_file_test (global_keyring_path, G_FILE_TEST_IS_DIR))
{
global_keyring_dir = g_file_new_for_path (global_keyring_path);
if (!_ostree_gpg_verifier_add_keyring_dir (self, global_keyring_dir,
cancellable, error))
{
g_prefix_error (error, "Reading keyring directory '%s'",
gs_file_get_path_cached (global_keyring_dir));
goto out;
}
}
ret = TRUE;
out:
return ret;
}
OstreeGpgVerifier*
_ostree_gpg_verifier_new (void)
{
return g_object_new (OSTREE_TYPE_GPG_VERIFIER, NULL);
}

7
src/libostree/ostree-gpg-verifier.h
View File

@ -37,8 +37,7 @@ typedef struct OstreeGpgVerifier OstreeGpgVerifier;
GType _ostree_gpg_verifier_get_type (void);
OstreeGpgVerifier *_ostree_gpg_verifier_new (GCancellable *cancellable,
GError **error);
OstreeGpgVerifier *_ostree_gpg_verifier_new (void);
OstreeGpgVerifyResult *_ostree_gpg_verifier_check_signature (OstreeGpgVerifier *self,
GBytes *signed_data,
@ -51,6 +50,10 @@ gboolean _ostree_gpg_verifier_add_keyring_dir (OstreeGpgVerifier *self,
GCancellable *cancellable,
GError **error);
gboolean _ostree_gpg_verifier_add_global_keyring_dir (OstreeGpgVerifier *self,
GCancellable *cancellable,
GError **error);
void _ostree_gpg_verifier_add_keyring (OstreeGpgVerifier *self,
GFile *path);

21
src/libostree/ostree-repo.c
View File

@ -3745,10 +3745,9 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
GVariantIter iter;
GVariant *child;
g_autoptr (GBytes) signatures = NULL;
gboolean add_global_keyring_dir = TRUE;
verifier = _ostree_gpg_verifier_new (cancellable, error);
if (!verifier)
goto out;
verifier = _ostree_gpg_verifier_new ();
if (remote_name == OSTREE_ALL_REMOTES)
{
@ -3760,8 +3759,7 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
}
else if (remote_name != NULL)
{
/* Add the remote's keyring file. OstreeGpgVerifier
* will ignore it if the keyring file does not exist. */
/* Add the remote's keyring file if it exists. */
OstreeRemote *remote;
g_autoptr(GFile) file = NULL;
@ -3772,11 +3770,22 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
file = g_file_get_child (self->repodir, remote->keyring);
_ostree_gpg_verifier_add_keyring (verifier, file);
if (g_file_query_exists (file, cancellable))
{
_ostree_gpg_verifier_add_keyring (verifier, file);
add_global_keyring_dir = FALSE;
}
ost_remote_unref (remote);
}
if (add_global_keyring_dir)
{
/* Use the deprecated global keyring directory. */
if (!_ostree_gpg_verifier_add_global_keyring_dir (verifier, cancellable, error))
goto out;
}
if (keyringdir)
{
if (!_ostree_gpg_verifier_add_keyring_dir (verifier, keyringdir,