packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pull-local: Support --gpg-verify and --gpg-verify-summary 

Force the otherwise disabled gpg verifications on.
Note: You need to pass --remote=foo so we know what gpg keys to verify
against.

Closes: #237
Approved by: cgwalters
This commit is contained in:
Alexander Larsson 2016-04-04 15:17:17 +02:00 committed by Colin Walters (automation)
parent 87298c84b8
commit ace0d4650b
3 changed files with 66 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/libostree/ostree-repo-pull.c
View File

@ -1900,6 +1900,8 @@ ostree_repo_pull_with_options (OstreeRepo *self,
GSource *update_timeout = NULL;
gboolean disable_static_deltas = FALSE;
gboolean require_static_deltas = FALSE;
gboolean opt_gpg_verify = FALSE;
gboolean opt_gpg_verify_summary = FALSE;
if (options)
{
@ -1910,6 +1912,8 @@ ostree_repo_pull_with_options (OstreeRepo *self,
flags = flags_i;
(void) g_variant_lookup (options, "subdir", "&s", &dir_to_pull);
(void) g_variant_lookup (options, "override-remote-name", "s", &pull_data->remote_name);
(void) g_variant_lookup (options, "gpg-verify", "b", &opt_gpg_verify);
(void) g_variant_lookup (options, "gpg-verify-summary", "b", &opt_gpg_verify_summary);
(void) g_variant_lookup (options, "depth", "i", &pull_data->maxdepth);
(void) g_variant_lookup (options, "disable-static-deltas", "b", &disable_static_deltas);
(void) g_variant_lookup (options, "require-static-deltas", "b", &require_static_deltas);
@ -1967,10 +1971,18 @@ ostree_repo_pull_with_options (OstreeRepo *self,
if (_ostree_repo_remote_name_is_file (remote_name_or_baseurl))
{
/* For compatibility with pull-local, don't gpg verify local
* pulls.
* pulls by default.
*/
pull_data->gpg_verify = FALSE;
pull_data->gpg_verify_summary = FALSE;
pull_data->gpg_verify = opt_gpg_verify;
pull_data->gpg_verify_summary = opt_gpg_verify_summary;
if ((pull_data->gpg_verify || pull_data->gpg_verify_summary) &&
pull_data->remote_name == NULL)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"Must specify remote name to enable gpg verification");
goto out;
}
}
else
{
@ -2181,7 +2193,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
result = _ostree_repo_gpg_verify_with_metadata (self,
bytes_summary,
sig_variant,
remote_name_or_baseurl,
pull_data->remote_name,
NULL,
NULL,
cancellable,

12
src/ostree/ot-builtin-pull-local.c
View File

@ -33,12 +33,16 @@
static char *opt_remote;
static gboolean opt_disable_fsync;
static gboolean opt_untrusted;
static gboolean opt_gpg_verify;
static gboolean opt_gpg_verify_summary;
static int opt_depth = 0;
static GOptionEntry options[] = {
{ "remote", 0, 0, G_OPTION_ARG_STRING, &opt_remote, "Add REMOTE to refspec", "REMOTE" },
{ "disable-fsync", 0, 0, G_OPTION_ARG_NONE, &opt_disable_fsync, "Do not invoke fsync()", NULL },
{ "untrusted", 0, 0, G_OPTION_ARG_NONE, &opt_untrusted, "Do not trust source", NULL },
{ "gpg-verify", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify, "GPG verify commits (must specify --remote)", NULL },
{ "gpg-verify-summary", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify_summary, "GPG verify summary (must specify --remote)", NULL },
{ "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" },
{ NULL }
};
@ -145,9 +149,15 @@ ostree_builtin_pull_local (int argc, char **argv, GCancellable *cancellable, GEr
if (opt_remote)
g_variant_builder_add (&builder, "{s@v}", "override-remote-name",
g_variant_new_variant (g_variant_new_string (opt_remote)));
if (opt_gpg_verify)
g_variant_builder_add (&builder, "{s@v}", "gpg-verify",
g_variant_new_variant (g_variant_new_boolean (TRUE)));
if (opt_gpg_verify_summary)
g_variant_builder_add (&builder, "{s@v}", "gpg-verify-summary",
g_variant_new_variant (g_variant_new_boolean (TRUE)));
g_variant_builder_add (&builder, "{s@v}", "depth",
g_variant_new_variant (g_variant_new_int32 (opt_depth)));
if (!ostree_repo_pull_with_options (repo, src_repo_uri,
g_variant_builder_end (&builder),
progress,

40
tests/test-local-pull.sh
View File

@ -19,11 +19,14 @@
set -euo pipefail
# We don't want OSTREE_GPG_HOME used for these tests.
unset OSTREE_GPG_HOME
. $(dirname $0)/libtest.sh
skip_without_user_xattrs
echo "1..4"
echo "1..7"
setup_test_repository "archive-z2"
echo "ok setup"
@ -57,3 +60,38 @@ find checkout3 -printf '%P %s %#m %u/%g %y %l\n' | sort > checkout3.files
cmp checkout1.files checkout2.files
cmp checkout1.files checkout3.files
echo "ok checkouts same"
mkdir repo4
${CMD_PREFIX} ostree --repo=repo4 init --mode="archive-z2"
${CMD_PREFIX} ostree --repo=repo4 remote add --gpg-import ${test_tmpdir}/gpghome/key1.asc origin repo
if ${CMD_PREFIX} ostree --repo=repo4 pull-local --remote=origin --gpg-verify repo test2 2>&1; then
assert_not_reached "GPG verification unexpectedly succeeded"
fi
echo "ok --gpg-verify with no signature"
${OSTREE} gpg-sign --gpg-homedir=${TEST_GPG_KEYHOME} test2 ${TEST_GPG_KEYID_1}
mkdir repo5
${CMD_PREFIX} ostree --repo=repo5 init --mode="archive-z2"
${CMD_PREFIX} ostree --repo=repo5 remote add --gpg-import ${test_tmpdir}/gpghome/key1.asc origin repo
${CMD_PREFIX} ostree --repo=repo5 pull-local --remote=origin --gpg-verify repo test2
echo "ok --gpg-verify"
mkdir repo6
${CMD_PREFIX} ostree --repo=repo6 init --mode="archive-z2"
${CMD_PREFIX} ostree --repo=repo6 remote add --gpg-import ${test_tmpdir}/gpghome/key1.asc origin repo
if ${CMD_PREFIX} ostree --repo=repo6 pull-local --remote=origin --gpg-verify-summary repo test2 2>&1; then
assert_not_reached "GPG summary verification with no summary unexpectedly succeeded"
fi
${OSTREE} summary -u update
if ${CMD_PREFIX} ostree --repo=repo6 pull-local --remote=origin --gpg-verify-summary repo test2 2>&1; then
assert_not_reached "GPG summary verification with signed no summary unexpectedly succeeded"
fi
${OSTREE} summary -u update --gpg-sign=${TEST_GPG_KEYID_1} --gpg-homedir=${TEST_GPG_KEYHOME}
${CMD_PREFIX} ostree --repo=repo6 pull-local --remote=origin --gpg-verify-summary repo test2 2>&1
echo "ok --gpg-verify-summary"