pull: honor gpg-verify-summary=false when a summary signature is present

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

src/libostree/ostree-repo-pull.c

@@ -1893,15 +1893,16 @@ ostree_repo_pull_with_options (OstreeRepo             *self,
       {
         pull_data->summary_data = g_bytes_ref (bytes_summary);
         pull_data->summary = g_variant_new_from_bytes (OSTREE_SUMMARY_GVARIANT_FORMAT, bytes_summary, FALSE);
+
+        if (bytes_sig)
+          pull_data->summary_data_sig = g_bytes_ref (bytes_sig);
       }
 
-    if (bytes_summary && bytes_sig)
+    if (pull_data->gpg_verify_summary && bytes_summary && bytes_sig)
       {
         g_autoptr(GVariant) sig_variant = NULL;
         glnx_unref_object OstreeGpgVerifyResult *result = NULL;
 
-        pull_data->summary_data_sig = g_bytes_ref (bytes_sig);
-
         sig_variant = g_variant_new_from_bytes (OSTREE_SUMMARY_SIG_GVARIANT_FORMAT, bytes_sig, FALSE);
         result = _ostree_repo_gpg_verify_with_metadata (self,
                                                         bytes_summary,

tests/test-pull-mirror-summary.sh

@@ -94,6 +94,20 @@ assert_has_file repo/summary
 assert_has_file repo/summary.sig
 echo "ok pull mirror with signed summary"
 
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{,.good}
+truncate --size=1 ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig
+
+cd ${test_tmpdir}
+rm -rf repo
+mkdir repo
+${OSTREE} --repo=repo init --mode=archive-z2
+${OSTREE} --repo=repo remote add origin $(cat httpd-address)/ostree/gnomerepo
+${OSTREE} --repo=repo pull --mirror origin
+assert_has_file repo/summary
+assert_has_file repo/summary.sig
+mv ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{.good,}
+echo "ok pull mirror with invalid summary sig and no verification"
+
 # Uncomment when we support mirroring deltas
 #
 # ${OSTREE} --repo=${test_tmpdir}/ostree-srv/gnomerepo static-delta generate main