emo/xbps
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't assume repodata is signed when has index-meta.plist

Browse Source
This commit is contained in:
Piotr Wójcik 2019-10-01 21:18:25 +02:00 committed by Juan RP
parent 381b7b7600
commit 4e3d4d2287
3 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/xbps-rindex/repoflush.c
View File

@ -45,6 +45,7 @@ repodata_flush(struct xbps_handle *xhp, const char *repodir,
struct archive *ar; struct archive *ar;
char *repofile, *tname, *buf; char *repofile, *tname, *buf;
unsigned char *sig = NULL; unsigned char *sig = NULL;
const char *signature_type = NULL;
int rv, repofd = -1; int rv, repofd = -1;
unsigned int siglen, buflen; unsigned int siglen, buflen;
mode_t mask; mode_t mask;
@ -115,7 +116,7 @@ repodata_flush(struct xbps_handle *xhp, const char *repodir,
if (rv != 0) if (rv != 0)
return false; return false;
if (meta) if (xbps_dictionary_get_cstring_nocopy(meta, "signature-type", &signature_type))
{ {
rv = sign_buffer(buf, buflen, privkey, &sig, &siglen); rv = sign_buffer(buf, buflen, privkey, &sig, &siglen);
free(buf); free(buf);

3
lib/plist_fetch.c
View File

@ -181,6 +181,7 @@ xbps_repo_fetch_remote(struct xbps_repo *repo, const char *url)
struct archive *a; struct archive *a;
struct archive_entry *entry; struct archive_entry *entry;
uint8_t i = 0; uint8_t i = 0;
const char *signature_type = NULL;
assert(url); assert(url);
assert(repo); assert(repo);
@ -214,7 +215,7 @@ xbps_repo_fetch_remote(struct xbps_repo *repo, const char *url)
} }
archive_read_finish(a); archive_read_finish(a);
if (xbps_object_type(repo->idxmeta) == XBPS_TYPE_DICTIONARY) if (xbps_dictionary_get_cstring_nocopy(repo->idxmeta, "signature-type", &signature_type))
repo->is_signed = true; repo->is_signed = true;
if (xbps_object_type(repo->idx) == XBPS_TYPE_DICTIONARY) if (xbps_object_type(repo->idx) == XBPS_TYPE_DICTIONARY)

19
lib/repo.c
View File

@ -181,6 +181,7 @@ repo_open_local(struct xbps_repo *repo, const char *repofile)
struct stat st; struct stat st;
int rv = 0; int rv = 0;
bool verified = false; bool verified = false;
const char *signature_type = NULL;
if (fstat(repo->fd, &st) == -1) { if (fstat(repo->fd, &st) == -1) {
rv = errno; rv = errno;
@ -214,7 +215,8 @@ repo_open_local(struct xbps_repo *repo, const char *repofile)
xbps_dictionary_make_immutable(repo->idx); xbps_dictionary_make_immutable(repo->idx);
repo->idxmeta = repo_get_dict(repo, NULL); repo->idxmeta = repo_get_dict(repo, NULL);
if (repo->idxmeta != NULL) { if (repo->idxmeta != NULL) {
repo->is_signed = true; if (xbps_dictionary_get_cstring_nocopy(repo->idxmeta, "signature-type", &signature_type))
repo->is_signed = true;
xbps_dictionary_make_immutable(repo->idxmeta); xbps_dictionary_make_immutable(repo->idxmeta);
} }
@ -635,6 +637,7 @@ xbps_repo_key_import(struct xbps_repo *repo)
char *hexfp = NULL; char *hexfp = NULL;
char *p, *dbkeyd, *rkeyfile = NULL; char *p, *dbkeyd, *rkeyfile = NULL;
int import, rv = 0; int import, rv = 0;
bool has_signedby, has_pubkey_size, has_pubkey;
assert(repo); assert(repo);
/* /*
@ -655,8 +658,18 @@ xbps_repo_key_import(struct xbps_repo *repo)
xbps_dictionary_get_uint16(repo->idxmeta, "public-key-size", &pubkey_size); xbps_dictionary_get_uint16(repo->idxmeta, "public-key-size", &pubkey_size);
pubkey = xbps_dictionary_get(repo->idxmeta, "public-key"); pubkey = xbps_dictionary_get(repo->idxmeta, "public-key");
if (signedby == NULL || pubkey_size == 0 || has_signedby = (signedby != NULL);
xbps_object_type(pubkey) != XBPS_TYPE_DATA) { has_pubkey_size = (pubkey_size > 0);
has_pubkey = (xbps_object_type(pubkey) == XBPS_TYPE_DATA);
if (!has_signedby && !has_pubkey_size && !has_pubkey)
{
xbps_dbg_printf(repo->xhp,
"[repo] `%s' unsigned repository with meta!\n", repo->uri);
return 0;
}
else if (!has_signedby || !has_pubkey_size || !has_pubkey)
{
xbps_dbg_printf(repo->xhp, xbps_dbg_printf(repo->xhp,
"[repo] `%s': incomplete signed repository " "[repo] `%s': incomplete signed repository "
"(missing objs)\n", repo->uri); "(missing objs)\n", repo->uri);