packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

repo: Add remote's keyring during GPG verification 

This is pretty fugly but it at least avoids new public API.
This commit is contained in:
Matthew Barnes 2015-05-01 15:38:08 -04:00
parent 4d7e73ede1
commit a9b87ebc18
3 changed files with 113 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/libostree/ostree-repo-private.h
View File

@ -199,11 +199,21 @@ OstreeGpgVerifyResult *
_ostree_repo_gpg_verify_with_metadata (OstreeRepo *self, _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
GBytes *signed_data, GBytes *signed_data,
GVariant *metadata, GVariant *metadata,
const char *remote_name,
GFile *keyringdir, GFile *keyringdir,
GFile *extra_keyring, GFile *extra_keyring,
GCancellable *cancellable, GCancellable *cancellable,
GError **error); GError **error);
OstreeGpgVerifyResult *
_ostree_repo_verify_commit_internal (OstreeRepo *self,
const char *commit_checksum,
const char *remote_name,
GFile *keyringdir,
GFile *extra_keyring,
GCancellable *cancellable,
GError **error);
gboolean gboolean
_ostree_repo_commit_loose_final (OstreeRepo *self, _ostree_repo_commit_loose_final (OstreeRepo *self,
const char *checksum, const char *checksum,

14
src/libostree/ostree-repo-pull.c
View File

@ -968,12 +968,13 @@ scan_commit_object (OtPullData *pull_data,
{ {
glnx_unref_object OstreeGpgVerifyResult *result = NULL; glnx_unref_object OstreeGpgVerifyResult *result = NULL;
result = ostree_repo_verify_commit_ext (pull_data->repo, result = _ostree_repo_verify_commit_internal (pull_data->repo,
checksum, checksum,
NULL, pull_data->remote_name,
NULL, NULL,
cancellable, NULL,
error); cancellable,
error);
if (result == NULL) if (result == NULL)
goto out; goto out;
@ -1926,6 +1927,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
sig_variant, sig_variant,
NULL, NULL,
NULL, NULL,
NULL,
cancellable, cancellable,
error); error);
if (result == NULL) if (result == NULL)

132
src/libostree/ostree-repo.c
View File

@ -3561,7 +3561,7 @@ ostree_repo_sign_commit (OstreeRepo *self,
result = _ostree_repo_gpg_verify_with_metadata (self, result = _ostree_repo_gpg_verify_with_metadata (self,
commit_data, commit_data,
old_metadata, old_metadata,
NULL, NULL, NULL, NULL, NULL,
cancellable, cancellable,
&local_error); &local_error);
@ -3694,10 +3694,14 @@ ostree_repo_add_gpg_signature_summary (OstreeRepo *self,
return ret; return ret;
} }
/* Special remote for _ostree_repo_gpg_verify_with_metadata() */
static const char *OSTREE_ALL_REMOTES = "__OSTREE_ALL_REMOTES__";
OstreeGpgVerifyResult * OstreeGpgVerifyResult *
_ostree_repo_gpg_verify_with_metadata (OstreeRepo *self, _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
GBytes *signed_data, GBytes *signed_data,
GVariant *metadata, GVariant *metadata,
const char *remote_name,
GFile *keyringdir, GFile *keyringdir,
GFile *extra_keyring, GFile *extra_keyring,
GCancellable *cancellable, GCancellable *cancellable,
@ -3715,6 +3719,33 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
if (!verifier) if (!verifier)
goto out; goto out;
if (remote_name == OSTREE_ALL_REMOTES)
{
/* Add all available remote keyring files. */
if (!_ostree_gpg_verifier_add_keyring_dir (verifier, self->repodir,
cancellable, error))
goto out;
}
else if (remote_name != NULL)
{
/* Add the remote's keyring file. OstreeGpgVerifier
* will ignore it if the keyring file does not exist. */
OstreeRemote *remote;
g_autoptr(GFile) file = NULL;
remote = ost_repo_get_remote (self, remote_name, error);
if (remote == NULL)
goto out;
file = g_file_get_child (self->repodir, remote->keyring);
_ostree_gpg_verifier_add_keyring (verifier, file);
ost_remote_unref (remote);
}
if (keyringdir) if (keyringdir)
{ {
if (!_ostree_gpg_verifier_add_keyring_dir (verifier, keyringdir, if (!_ostree_gpg_verifier_add_keyring_dir (verifier, keyringdir,
@ -3764,6 +3795,62 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
return result; return result;
} }
/* Needed an internal version for the remote_name parameter. */
OstreeGpgVerifyResult *
_ostree_repo_verify_commit_internal (OstreeRepo *self,
const char *commit_checksum,
const char *remote_name,
GFile *keyringdir,
GFile *extra_keyring,
GCancellable *cancellable,
GError **error)
{
OstreeGpgVerifyResult *result = NULL;
gs_unref_variant GVariant *commit_variant = NULL;
gs_unref_variant GVariant *metadata = NULL;
gs_unref_bytes GBytes *signed_data = NULL;
/* Load the commit */
if (!ostree_repo_load_variant (self, OSTREE_OBJECT_TYPE_COMMIT,
commit_checksum, &commit_variant,
error))
{
g_prefix_error (error, "Failed to read commit: ");
goto out;
}
/* Load the metadata */
if (!ostree_repo_read_commit_detached_metadata (self,
commit_checksum,
&metadata,
cancellable,
error))
{
g_prefix_error (error, "Failed to read detached metadata: ");
goto out;
}
signed_data = g_variant_get_data_as_bytes (commit_variant);
/* XXX This is a hackish way to indicate to use ALL remote-specific
* keyrings in the signature verification. We want this when
* verifying a signed commit that's already been pulled. */
if (remote_name == NULL)
remote_name = OSTREE_ALL_REMOTES;
result = _ostree_repo_gpg_verify_with_metadata (self,
signed_data,
metadata,
remote_name,
keyringdir,
extra_keyring,
cancellable,
error);
out:
return result;
}
/** /**
* ostree_repo_verify_commit: * ostree_repo_verify_commit:
* @self: Repository * @self: Repository
@ -3828,42 +3915,13 @@ ostree_repo_verify_commit_ext (OstreeRepo *self,
GCancellable *cancellable, GCancellable *cancellable,
GError **error) GError **error)
{ {
OstreeGpgVerifyResult *result = NULL; return _ostree_repo_verify_commit_internal (self,
g_autoptr(GVariant) commit_variant = NULL; commit_checksum,
g_autoptr(GFile) keyringdir_ref = NULL; NULL,
g_autoptr(GVariant) metadata = NULL; keyringdir,
g_autoptr(GBytes) signed_data = NULL; extra_keyring,
g_autofree char *commit_filename = NULL; cancellable,
error);
/* Create a temporary file for the commit */
if (!ostree_repo_load_variant (self, OSTREE_OBJECT_TYPE_COMMIT,
commit_checksum, &commit_variant,
error))
{
g_prefix_error (error, "Failed to read commit: ");
goto out;
}
/* Load the metadata */
if (!ostree_repo_read_commit_detached_metadata (self,
commit_checksum,
&metadata,
cancellable,
error))
{
g_prefix_error (error, "Failed to read detached metadata: ");
goto out;
}
signed_data = g_variant_get_data_as_bytes (commit_variant);
result = _ostree_repo_gpg_verify_with_metadata (self,
signed_data, metadata,
keyringdir, extra_keyring,
cancellable, error);
out:
return result;
} }
/** /**