From 381b7b76005d96a8ba2fc782252ec7348fbc45f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Piotr=20W=C3=B3jcik?= <chocimier@tlen.pl>
Date: Tue, 1 Oct 2019 21:18:25 +0200
Subject: [PATCH] Sign index-meta

---
 bin/xbps-rindex/repoflush.c | 27 +++++++++++++++++++++++----
 include/xbps.h.in           | 15 ++++++++-------
 lib/repo.c                  |  4 ++--
 3 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/bin/xbps-rindex/repoflush.c b/bin/xbps-rindex/repoflush.c
index 61d8f633..c617ccb6 100644
--- a/bin/xbps-rindex/repoflush.c
+++ b/bin/xbps-rindex/repoflush.c
@@ -93,8 +93,7 @@ repodata_flush(struct xbps_handle *xhp, const char *repodir,
 	buf = xbps_dictionary_externalize(idx);
 	if (buf == NULL)
 		return false;
-	buflen = strlen(buf);
-	rv = xbps_archive_append_buf(ar, buf, buflen,
+	rv = xbps_archive_append_buf(ar, buf, strlen(buf),
 	    XBPS_REPOIDX, 0644, "root", "root");
 	free(buf);
 	if (rv != 0) {
@@ -110,12 +109,32 @@ repodata_flush(struct xbps_handle *xhp, const char *repodir,
 	} else {
 		buf = xbps_dictionary_externalize(meta);
 	}
-	rv = xbps_archive_append_buf(ar, buf, strlen(buf),
+	buflen = strlen(buf);
+	rv = xbps_archive_append_buf(ar, buf, buflen,
 	    XBPS_REPOIDX_META, 0644, "root", "root");
-	free(buf);
 	if (rv != 0)
 		return false;
 
+	if (meta)
+	{
+		rv = sign_buffer(buf, buflen, privkey, &sig, &siglen);
+		free(buf);
+		if (rv != 0) {
+			free(sig);
+			return false;
+		}
+		assert(sig);
+		rv = xbps_archive_append_buf(ar, sig, siglen,
+		    XBPS_REPOIDXMETA_SIG, 0644, "root", "root");
+		if (rv != 0) {
+			free(sig);
+			return false;
+		}
+		free(sig);
+	} else {
+		free(buf);
+	}
+
 	/* Write data to tempfile and rename */
 	if (archive_write_close(ar) != ARCHIVE_OK)
 		return false;
diff --git a/include/xbps.h.in b/include/xbps.h.in
index 5df41b57..8354b2e0 100644
--- a/include/xbps.h.in
+++ b/include/xbps.h.in
@@ -116,18 +116,19 @@
  */
 #define XBPS_REPOIDX		"index.plist"
 
-/** 
- * @def XBPS_REPOIDX_SIG
- * Filename for the signature of repository index property list.
- */
-#define XBPS_REPOIDX_SIG	"index.plist.sig"
-
 /**
  * @def XBPS_REPOIDX_META
  * Filename for the repository index metadata property list.
  */
 #define XBPS_REPOIDX_META 	"index-meta.plist"
 
+/**
+ * @def XBPS_REPOIDXMETA_SIG
+ * Filename for the signature of repository index metadata
+ * property list.
+ */
+#define XBPS_REPOIDXMETA_SIG	"index-meta.plist.sig"
+
 /**
  * @def XBPS_FLAG_VERBOSE
  * Verbose flag that can be used in the function callbacks to alter
@@ -1360,7 +1361,7 @@ struct xbps_repo {
 	xbps_dictionary_t idxmeta;
 	/**
 	 * @var uri
-	 * 
+	 *
 	 * URI string associated with repository.
 	 */
 	const char *uri;
diff --git a/lib/repo.c b/lib/repo.c
index 64e59bec..4acf95fd 100644
--- a/lib/repo.c
+++ b/lib/repo.c
@@ -75,9 +75,9 @@ repo_verify_index(struct xbps_repo *repo, unsigned char *digest) {
 		return false;
 	}
 
-	if (strcmp(archive_entry_pathname(entry), XBPS_REPOIDX_SIG) != 0) {
+	if (strcmp(archive_entry_pathname(entry), XBPS_REPOIDXMETA_SIG) != 0) {
 		xbps_dbg_printf(repo->xhp,
-		    "%s: no signature of %s\n", repo->uri, XBPS_REPOIDX);
+		    "%s: no signature of %s\n", repo->uri, XBPS_REPOIDX_META);
 		return false;
 	}