- Pacman-dev - lists.archlinux.org

[pacman-dev] [PATCH 2/2] repo-add: add option to specify a different key to sign
by Denis A. Altoé Falqueto 25 Apr '11

25 Apr '11

There may be some situations when one needs to specify a different key from user's default. The option -k or --signwithkey accepts a key identifier and uses that in the signing command. Signed-off-by: Denis A. Altoé Falqueto <denisfalqueto(a)gmail.com> --- There was a different version of this patch sent some time ago. For some reason, just the part for makepkg was merged. So, now I'm sending a little better version for repo-add/remove. scripts/repo-add.sh.in | 36 ++++++++++++++++++++++++++++-------- 1 files changed, 28 insertions(+), 8 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index cb545f3..7b9e85f 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -66,7 +66,8 @@ usage() { cmd="$(basename $0)" printf "%s (pacman) %s\n\n" "$cmd" "$myver" if [[ $cmd == "repo-add" ]] ; then - printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> ...\n")" + printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s [-k|--signwithkey key]]\n")" + printf "$(gettext " [-v] <path-to-db> <package|delta> ...\n")" printf "$(gettext "\ repo-add will update a package database by reading a package file.\n\ Multiple packages to add can be specified on the command line.\n\n")" @@ -74,16 +75,18 @@ Multiple packages to add can be specified on the command line.\n\n")" printf "$(gettext " -d, --delta generate and add delta for package update\n")" printf "$(gettext " -f, --files update database's file list\n")" elif [[ $cmd == "repo-remove" ]] ; then - printf "$(gettext "Usage: repo-remove [-q] [-s] [-v] <path-to-db> <packagename|delta> ...\n\n")" + printf "$(gettext "Usage: repo-remove [-q] [-s [-k|--signwithkey key]]\n")" + printf "$(gettext " [-v] <path-to-db> <packagename|delta> ...\n\n")" printf "$(gettext "\ repo-remove will update a package database by removing the package name\n\ specified on the command line from the given repo database. Multiple\n\ packages to remove can be specified on the command line.\n\n")" printf "$(gettext "Options:\n")" fi - printf "$(gettext " -q, --quiet minimize output\n")" - printf "$(gettext " -s, --sign sign database with GnuPG after update\n")" - printf "$(gettext " -v, --verify verify database's signature before update\n")" + printf "$(gettext " -q, --quiet minimize output\n")" + printf "$(gettext " -s, --sign sign database with GnuPG after update\n")" + printf "$(gettext " -k, --signwithkey <key> use the specified key to sign the repository\n")" + printf "$(gettext " -v, --verify verify database's signature before update\n")" printf "$(gettext "\n\ See %s(8) for more details and descriptions of the available options.\n\n")" $cmd if [[ $cmd == "repo-add" ]] ; then @@ -204,7 +207,13 @@ create_signature() { error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" exit 1 # $E_MISSING_PROGRAM fi - gpg --detach-sign --use-agent "$dbfile" || ret=$? + + # Check if SIGNKEY is valid. + local SIGNWITHKEY="" + if [[ "${SIGNKEY}" ]]; then + SIGNWITHKEY="-u ${SIGNKEY}" + fi + gpg --detach-sign ${SIGNWITHKEY} "$dbfile" || ret=$? if (( ! ret )); then msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig" else @@ -226,7 +235,7 @@ verify_signature() { warning "$(gettext "No existing signature found, skipping verification.")" return fi - gpg --verify "$dbfile.sig" || ret=$? + gpg --verify "$dbfile.sig" &>/dev/null || ret=$? if (( ! ret )); then msg2 "$(gettext "Database signature file verified.")" else @@ -542,12 +551,22 @@ trap 'trap_exit "$(gettext "An unknown error has occured. Exiting...")"' ERR success=0 # parse arguments -for arg in "$@"; do +while [[ $# > 0 ]]; do + arg="$1" case "$arg" in -q|--quiet) QUIET=1;; -d|--delta) DELTA=1;; -f|--files) WITHFILES=1;; -s|--sign) SIGN=1;; + -k|--signwithkey) + shift + SIGNKEY="$1" + # Check if key exists, to stop as early as possible + if ! gpg --list-key "${SIGNKEY}" &>/dev/null; then + error "$(gettext "The key ${SIGNKEY} doesnn't exist.")" + exit 1 + fi + ;; -v|--verify) VERIFY=1;; *) if [[ -z $REPO_DB_FILE ]]; then @@ -562,6 +581,7 @@ for arg in "$@"; do fi ;; esac + shift done # if at least one operation was a success, re-zip database -- 1.7.4.2

2 2

[pacman-dev] [GIT] The official pacman repository branch, master, updated. v3.5.2-141-ga7d33d0
by dan＠archlinux.org 24 Apr '11

24 Apr '11

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official pacman repository". The branch, master has been updated via a7d33d0c36420462b3de5c7e2f8327ddbda2a129 (commit) via 1cb1b0a52c3c815f448af9ca80bd38f550f5b7ca (commit) via 036f98575c1b57782db51c82b521d53ba1da99a1 (commit) via fade60088e158c042e3a3a2c135fa067016998af (commit) via 59da64146d824026a958a139e0d3e0600f9bdcf7 (commit) via 2eab4ab0333df4d5d24637a2e2e32091d78decc6 (commit) via 8b34aa50b9111b5c7e26b9841ad6f0cc5c38887f (commit) via 9579879b1bb1a033e846b750769215b7b4066073 (commit) via 204bbc47149c948b680735a933fa395ce3983f38 (commit) via 934e8c79afcb0df8b750322c5e87d77203d9f1fe (commit) via e3268d5e88308b1b854f5f256cb5fa40ac16ea5b (commit) via 74994faee7ce1681f24a3fc0a108dc4f9b824ffc (commit) from e39c104d13bfb6e2c055c2af3eee41bfa603b13b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a7d33d0c36420462b3de5c7e2f8327ddbda2a129 Author: Allan McRae <allan(a)archlinux.org> Date: Sun Apr 24 21:17:03 2011 +1000 repo-add: update copyright message Signed-off-by: Allan McRae <allan(a)archlinux.org> Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 1cb1b0a52c3c815f448af9ca80bd38f550f5b7ca Author: Allan McRae <allan(a)archlinux.org> Date: Sun Apr 24 21:03:21 2011 +1000 repo-add: document -k option Also unify the usage output with that given by repo-add itself. Dan: use 'options', not 'option(s)'. Signed-off-by: Allan McRae <allan(a)archlinux.org> Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 036f98575c1b57782db51c82b521d53ba1da99a1 Author: Allan McRae <allan(a)archlinux.org> Date: Sun Apr 24 20:56:59 2011 +1000 repo-add: check for gpg early Check for the presence of gpg as soon as we know we need it. Signed-off-by: Allan McRae <allan(a)archlinux.org> Signed-off-by: Dan McGee <dan(a)archlinux.org> commit fade60088e158c042e3a3a2c135fa067016998af Author: Allan McRae <allan(a)archlinux.org> Date: Sun Apr 24 20:51:53 2011 +1000 repo-add: check for valid key when signing is requested Follow the example of makepkg Signed-off-by: Allan McRae <allan(a)archlinux.org> Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 59da64146d824026a958a139e0d3e0600f9bdcf7 Author: Denis A. Altoé Falqueto <denisfalqueto(a)gmail.com> Date: Sun Apr 24 20:48:08 2011 +1000 repo-add: add option to specify a different key to sign with Add -k/--key option to specify a non-default key for signing a package database. Original-patch-by: Denis A. Altoé Falqueto <denisfalqueto(a)gmail.com> Signed-off-by: Allan McRae <allan(a)archlinux.org> Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 2eab4ab0333df4d5d24637a2e2e32091d78decc6 Author: Allan McRae <allan(a)archlinux.org> Date: Sun Apr 24 17:36:21 2011 +1000 repo-add: simplify usage message Listing every option on the usage line becomes unweildly as more options get added so simplify it. Also, provide a standard package name in the repo-add example. Dan: just use 'options' as we use elsewhere, not 'option(s)'. Signed-off-by: Allan McRae <allan(a)archlinux.org> Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 8b34aa50b9111b5c7e26b9841ad6f0cc5c38887f Author: Dan McGee <dan(a)archlinux.org> Date: Thu Apr 21 19:51:51 2011 -0500 Make dump_pkg_full a little less insane The various "level" values were a bit crazy to decipher, and we were doing some very interesting comparisons in certain places. Break it out into two parameters instead so we can seperate the type from the extra information display, and do things accordingly. Nothing changes with the display of any of the five types we currently show: -Si, -Sii, -Qi, -Qii, -Qip. Something to note- we should expose the PKG_FROM enum type somehow, this patch leaves the door open to do that quite easily. Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 9579879b1bb1a033e846b750769215b7b4066073 Author: Dan McGee <dan(a)archlinux.org> Date: Thu Apr 21 18:31:19 2011 -0500 libalpm/dload: major refactor of signature downloading There's a lot of related moving parts here: * Iteration through mirrors is moved back to the calling functions. This allows removal of _alpm_download_single_file and _alpm_download_files. * The download function gets a few more arguments to influence behavior. This allows several different scenarios to customize behavior: - database - database signature (req'd and optional) - package - package via direct URL - package signature via direct URL (req'd and optional) * For databases, we need signatures from the same mirror, so structure the code accordingly. Some-inspiration-from: Dave Reisner <d(a)falconindy.com> Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 204bbc47149c948b680735a933fa395ce3983f38 Author: Dan McGee <dan(a)archlinux.org> Date: Thu Apr 21 17:24:04 2011 -0500 libalpm/dload: add allow_resume and reorder error checks The allow_resume is the start of the fix to the "don't ever resume database downloads" problem, as well as being useful for '.sig' downloads as well. For now, we say "always allow resume", but this will eventually get pushed down as necessary. Error checks are reworked in order to correctly error out when a file is not found on the remote end and reports 0 bytes downloaded. In addition, the two error messages printed are now different as one reports a more specific error message provided via the cURL error buffer. Some example output from an -Sy run with [testing], [community], [community2], [eee], and [nonexistant] defined as repos. [community2] and [nonexistant] are both invalid, one using FTP and one using HTTP. :: Synchronizing package databases... testing is up to date community is up to date error: failed retrieving file 'community2.db' from ftp.archlinux.org : Given file does not exist error: failed to update community2 (FTP: couldn't retrieve (RETR failed) the specified file) eee is up to date error: failed retrieving file 'nonexistant.db' from code.toofishes.net : The requested URL returned error: 404 error: failed to update nonexistant (HTTP response code said error) Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 934e8c79afcb0df8b750322c5e87d77203d9f1fe Merge: e39c104 e3268d5 Author: Dan McGee <dan(a)archlinux.org> Date: Fri Apr 22 17:08:12 2011 -0500 Merge branch 'maint' commit e3268d5e88308b1b854f5f256cb5fa40ac16ea5b Author: Dan McGee <dan(a)archlinux.org> Date: Fri Apr 22 17:07:58 2011 -0500 Small translation update from Transifex Signed-off-by: Dan McGee <dan(a)archlinux.org> ----------------------------------------------------------------------- Summary of changes: doc/pacman.8.txt | 14 +++-- doc/repo-add.8.txt | 9 +++- lib/libalpm/alpm.h | 4 +- lib/libalpm/be_sync.c | 88 +++++++++++++------------------- lib/libalpm/dload.c | 131 +++++++++++++++++++----------------------------- lib/libalpm/dload.h | 8 +-- lib/libalpm/sync.c | 25 ++++++++- po/sk.po | 4 +- scripts/repo-add.sh.in | 83 ++++++++++++++++++++---------- src/pacman/package.c | 50 +++++++----------- src/pacman/package.h | 10 +++- src/pacman/query.c | 5 +- src/pacman/sync.c | 7 ++- 13 files changed, 220 insertions(+), 218 deletions(-) hooks/post-receive -- The official pacman repository

1 0

[pacman-dev] [PATCH 0/6] repo-add: complete package signing work
by Allan McRae 24 Apr '11

24 Apr '11

With these patches, I beleive the package signing work for repo-add is feature complete and all documentation provided. Allan McRae (5): repo-add: simplify usage message repo-add: check for valid key when signing is requested repo-add: check for gpg early repo-add: document -k option repo-add: update copyright message Denis A. Altoé Falqueto (1): repo-add: add option to specify a different key to sign with doc/repo-add.8.txt | 9 ++++- scripts/repo-add.sh.in | 83 ++++++++++++++++++++++++++++++++--------------- 2 files changed, 63 insertions(+), 29 deletions(-) -- 1.7.4.4

2 8

[pacman-dev] [PATCH 1/4] be_sync: use _alpm_db_get_sigverify_level()
by Dan McGee 24 Apr '11

24 Apr '11

Signed-off-by: Dan McGee <dan(a)archlinux.org> --- lib/libalpm/be_sync.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index 11e2807..d484185 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -84,6 +84,7 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) size_t len; int ret; mode_t oldmask; + pgp_verify_t check_sig; ALPM_LOG_FUNC; @@ -136,8 +137,10 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) goto cleanup; } + check_sig = _alpm_db_get_sigverify_level(db); + /* Download and check the signature of the database if needed */ - if(db->pgp_verify != PM_PGP_VERIFY_NEVER) { + if(check_sig != PM_PGP_VERIFY_NEVER) { char *sigfile, *sigfilepath; int sigret; @@ -155,7 +158,7 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) sigret = _alpm_download_single_file(sigfile, db->servers, syncpath, 0); free(sigfile); - if(sigret == -1 && db->pgp_verify == PM_PGP_VERIFY_ALWAYS) { + if(sigret == -1 && check_sig == PM_PGP_VERIFY_ALWAYS) { _alpm_log(PM_LOG_ERROR, _("Failed to download signature for db: %s\n"), alpm_strerrorlast()); pm_errno = PM_ERR_SIG_INVALID; @@ -164,8 +167,8 @@ int SYMEXPORT alpm_db_update(int force, pmdb_t *db) } sigret = alpm_db_check_pgp_signature(db); - if((db->pgp_verify == PM_PGP_VERIFY_ALWAYS && sigret != 0) || - (db->pgp_verify == PM_PGP_VERIFY_OPTIONAL && sigret == 1)) { + if((check_sig == PM_PGP_VERIFY_ALWAYS && sigret != 0) || + (check_sig == PM_PGP_VERIFY_OPTIONAL && sigret == 1)) { /* pm_errno was set by the checking code */ /* TODO: should we just leave the unverified database */ ret = -1; -- 1.7.4.4

2 4

[pacman-dev] [PATCH] makepkg: parallelize integrity checks
by Dan McGee 23 Apr '11

23 Apr '11

This enables parallel integrity checks in makepkg within a given family of integrity sums. Subshell jobs for each source file are kicked off and run in parallel, and then we wait for each of them in turn to complete and print the same information as before. Note that programming sense says this loop should be done differently for filesystem access reasons; doing all checks for a given file would make more sense rather than running through the filelist multiple times. However, that would be a very different patch than what this is trying to accomplish. On a completely suited for the task PKGBUILD containing md5sums ans sha256sums of several large data files, as well as a failing integrity check so, this brings execution time way down: $ time makepkg -f 2>/dev/null real 0m7.924s user 0m7.293s sys 0m0.480s $ time ~/projects/pacman/scripts/makepkg -f 2>/dev/null real 0m2.447s user 0m7.470s sys 0m0.537s Signed-off-by: Dan McGee <dan(a)archlinux.org> --- Said PKGBUILD from above: pkgname=integspeed pkgver=1.0 pkgrel=1 arch=('any') source=( eclipse-3.6.1-1-x86_64.pkg.tar.xz eclipse-3.6.2-1-x86_64.pkg.tar.xz nltk-data-2.0-5-any.pkg.tar.xz openoffice-base-3.2.1-5-x86_64.pkg.tar.xz smc-1.9-8-x86_64.pkg.tar.xz texlive-core-2010.20954-2-any.pkg.tar.xz tremulous-data-1.1.0-1-any.pkg.tar.gz ) md5sums=('6ab0488636b4b52957a8d069c4330d3d' 'e889ada205ab8b9b17c64de6c7b62956' '968bebb2a8e77b2cd2ee2bbb3d9122d4' '17d59366ef890dab62bebfe786a0cccb' '129fa6ed2208b355e8e55bdd38ae6677' '36437e05082be8c4e6764fc2bcfe4f4b' '107d367e2e0245b38402f457c1d735f7') sha256sums=('d0fdac48f982f4f7794187c6652fb55ac6c63c439a62476bcf90addad25f9274' 'fc30a73f6313ba202a6fb4fd112de93c88c28b3f7af68dd0789d3317afe89741' 'aec68224fd31713ff0cee49fb3c27cf5be82ada03657b9d592ab029c5df1ad92' '1c9404f87a8b00bd07d226ca93c7254985af3195719a5ddb69be40faa78914c4' 'bbde245ff84a3ec93f76a53b97d2d261193699a55881209ffae9310de00c6ad4' '10a0ba732253d89ef3b6d72486474a356179e4665efc6482ac3c47c891f7f3a2' '53d990b7123d12409290c3a3c8b6be32e2887c88a0650cd338a7f58cc951f4d9') scripts/makepkg.sh.in | 47 +++++++++++++++++++++++++++++++++-------------- 1 files changed, 33 insertions(+), 14 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 3d5184a..92b7597 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -627,33 +627,52 @@ check_checksums() { correlation=1 local errors=0 local idx=0 + local -a jobs + local job local file for file in "${source[@]}"; do - local found=1 - file="$(get_filename "$file")" - echo -n " $file ... " >&2 + ( + file="$(get_filename "$file")" - if ! file="$(get_filepath "$file")"; then - echo "$(gettext "NOT FOUND")" >&2 - errors=1 - found=0 - fi + if ! file="$(get_filepath "$file")"; then + exit 2 + fi - if (( $found )) ; then local expectedsum=$(tr '[:upper:]' '[:lower:]' <<< "${integrity_sums[$idx]}") local realsum="$(openssl dgst -${integ} "$file")" realsum="${realsum##* }" if [[ $expectedsum = $realsum ]]; then - echo "$(gettext "Passed")" >&2 - else - echo "$(gettext "FAILED")" >&2 - errors=1 + exit 0 fi - fi + exit 1 + ) & + jobs[$idx]=$! idx=$((idx + 1)) done + idx=0 + while [[ $idx -lt ${#source[@]} ]]; do + file="$(get_filename "${source[$idx]}")" + job=${jobs[$idx]} + status=0 + wait $job || status=$? + echo -n " $file ... " >&2 + if [[ $status -eq 0 ]]; then + echo "$(gettext "Passed")" >&2 + elif [[ $status -eq 1 ]]; then + echo "$(gettext "FAILED")" >&2 + errors=1 + elif [[ $status -eq 2 ]]; then + echo "$(gettext "NOT FOUND")" >&2 + errors=1 + else + echo "$(gettext "ERROR")" >&2 + errors=1 + fi + idx=$((idx + 1)) + done + if (( errors )); then error "$(gettext "One or more files did not pass the validity check!")" exit 1 # TODO: error code -- 1.7.4.4

3 8

[pacman-dev] [GIT] The official pacman repository branch, master, updated. v3.5.2-129-ge39c104
by dan＠archlinux.org 22 Apr '11

22 Apr '11

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official pacman repository". The branch, master has been updated via e39c104d13bfb6e2c055c2af3eee41bfa603b13b (commit) via 53c749ce0aa55307fff2b419501da509212ae9ba (commit) via 1ff04b980f65769ae63b162f7206579da2f57e1c (commit) from 10b8cd75b36d5a87032780058321fccdc90210c7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit e39c104d13bfb6e2c055c2af3eee41bfa603b13b Author: Dan McGee <dan(a)archlinux.org> Date: Thu Apr 21 22:09:57 2011 -0500 cleanup: add_pkg() and remove_pkg() Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 53c749ce0aa55307fff2b419501da509212ae9ba Author: Dan McGee <dan(a)archlinux.org> Date: Thu Apr 21 15:39:31 2011 -0500 libalpm/dload: const and static correctness Signed-off-by: Dan McGee <dan(a)archlinux.org> commit 1ff04b980f65769ae63b162f7206579da2f57e1c Author: Dan McGee <dan(a)archlinux.org> Date: Thu Apr 21 15:37:32 2011 -0500 be_sync: use _alpm_db_get_sigverify_level() Signed-off-by: Dan McGee <dan(a)archlinux.org> ----------------------------------------------------------------------- Summary of changes: lib/libalpm/add.c | 7 +++---- lib/libalpm/be_sync.c | 11 +++++++---- lib/libalpm/dload.c | 11 ++++++----- lib/libalpm/dload.h | 2 +- lib/libalpm/remove.c | 5 +++-- 5 files changed, 20 insertions(+), 16 deletions(-) hooks/post-receive -- The official pacman repository

1 0

[pacman-dev] [PATCH 1/6] signing: let GPGME handle loading signatures from files
by Dan McGee 22 Apr '11

22 Apr '11

Rather than go through all the hassle of doing this ourselves, just let GPGME handle the work by passing it a file handle. Signed-off-by: Dan McGee <dan(a)archlinux.org> --- I applied patches from two years ago that introduced this madness, so it is no wonder I am going back and refactoring and simplifying the old stuff. I see little disadvantage to not manually reading the signature files if we can have the library handle that itself. lib/libalpm/be_package.c | 6 --- lib/libalpm/db.c | 23 ----------- lib/libalpm/db.h | 3 - lib/libalpm/signing.c | 94 +++++++++++++++++----------------------------- lib/libalpm/signing.h | 1 - 5 files changed, 35 insertions(+), 92 deletions(-) diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index 8a6ed6c..6e65c7d 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -243,18 +243,12 @@ static pmpkg_t *pkg_load(const char *pkgfile, int full) /* attempt to stat the package file, ensure it exists */ if(stat(pkgfile, &st) == 0) { - int sig_ret; - newpkg = _alpm_pkg_new(); if(newpkg == NULL) { RET_ERR(PM_ERR_MEMORY, NULL); } newpkg->filename = strdup(pkgfile); newpkg->size = st.st_size; - - /* TODO: do something with ret value */ - sig_ret = _alpm_load_signature(pkgfile, &(newpkg->pgpsig)); - (void)sig_ret; } else { /* couldn't stat the pkgfile, return an error */ RET_ERR(PM_ERR_PKG_OPEN, NULL); diff --git a/lib/libalpm/db.c b/lib/libalpm/db.c index f5e7a25..3d593b3 100644 --- a/lib/libalpm/db.c +++ b/lib/libalpm/db.c @@ -314,27 +314,6 @@ pmdb_t *_alpm_db_new(const char *treename, int is_local) return db; } -const pmpgpsig_t *_alpm_db_pgpsig(pmdb_t *db) -{ - ALPM_LOG_FUNC; - - /* Sanity checks */ - ASSERT(db != NULL, return(NULL)); - - if(db->pgpsig.data == NULL) { - const char *dbfile; - int ret; - - dbfile = _alpm_db_path(db); - - /* TODO: do something with ret value */ - ret = _alpm_load_signature(dbfile, &(db->pgpsig)); - (void)ret; - } - - return &(db->pgpsig); -} - void _alpm_db_free(pmdb_t *db) { ALPM_LOG_FUNC; @@ -343,8 +322,6 @@ void _alpm_db_free(pmdb_t *db) _alpm_db_free_pkgcache(db); /* cleanup server list */ FREELIST(db->servers); - /* only need to free data */ - FREE(db->pgpsig.data); FREE(db->_path); FREE(db->treename); FREE(db); diff --git a/lib/libalpm/db.h b/lib/libalpm/db.h index 204a0be..399e2d5 100644 --- a/lib/libalpm/db.h +++ b/lib/libalpm/db.h @@ -63,8 +63,6 @@ struct __pmdb_t { pmpkghash_t *pkgcache; alpm_list_t *grpcache; alpm_list_t *servers; - /* do not access directly, use _alpm_db_pgpsig(db) for lazy access */ - pmpgpsig_t pgpsig; pgp_verify_t pgp_verify; struct db_operations *ops; @@ -81,7 +79,6 @@ alpm_list_t *_alpm_db_search(pmdb_t *db, const alpm_list_t *needles); pmdb_t *_alpm_db_register_local(void); pmdb_t *_alpm_db_register_sync(const char *treename); void _alpm_db_unregister(pmdb_t *db); -const pmpgpsig_t *_alpm_db_pgpsig(pmdb_t *db); /* be_*.c, backend specific calls */ int _alpm_local_db_read(pmdb_t *db, pmpkg_t *info, pmdbinfrq_t inforeq); diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 9d4fd07..28b7ad9 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -92,9 +92,10 @@ error: } /** - * Check the PGP package signature for the given file. + * Check the PGP signature for the given file. * @param path the full path to a file - * @param sig PGP signature data in raw form (already decoded) + * @param sig PGP signature data in raw form (already decoded); if NULL, expect + * a signature file next to 'path' * @return a int value : 0 (valid), 1 (invalid), -1 (an error occured) */ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) @@ -105,16 +106,28 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) gpgme_data_t filedata, sigdata; gpgme_verify_result_t result; gpgme_signature_t gpgsig; + char *sigpath = NULL; FILE *file = NULL, *sigfile = NULL; ALPM_LOG_FUNC; - if(!sig || !sig->data) { - RET_ERR(PM_ERR_SIG_UNKNOWN, -1); - } if(!path || access(path, R_OK) != 0) { RET_ERR(PM_ERR_NOT_A_FILE, -1); } + + if(!sig) { + size_t len = strlen(path) + 5; + CALLOC(sigpath, len, sizeof(char), RET_ERR(PM_ERR_MEMORY, -1)); + snprintf(sigpath, len, "%s.sig", path); + + if(!access(sigpath, R_OK) == 0) { + FREE(sigpath); + RET_ERR(PM_ERR_SIG_UNKNOWN, -1); + } + } else if(!sig->data) { + RET_ERR(PM_ERR_SIG_UNKNOWN, -1); + } + if(gpgme_init()) { /* pm_errno was set in gpgme_init() */ return -1; @@ -140,7 +153,19 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) CHECK_ERR(); /* next create data object for the signature */ - err = gpgme_data_new_from_mem(&sigdata, (char *)sig->data, sig->len, 0); + if(sig) { + /* memory-based, we loaded it from a sync DB */ + err = gpgme_data_new_from_mem(&sigdata, (char *)sig->data, sig->len, 0); + } else { + /* file-based, it is on disk */ + sigfile = fopen(sigpath, "rb"); + if(sigfile == NULL) { + pm_errno = PM_ERR_NOT_A_FILE; + ret = -1; + goto error; + } + err = gpgme_data_new_from_stream(&sigdata, sigfile); + } CHECK_ERR(); /* here's where the magic happens */ @@ -196,6 +221,7 @@ error: if(file) { fclose(file); } + FREE(sigpath); if(err != GPG_ERR_NO_ERROR) { _alpm_log(PM_LOG_ERROR, _("GPGME error: %s\n"), gpgme_strerror(err)); RET_ERR(PM_ERR_GPGME, -1); @@ -204,55 +230,6 @@ error: } /** - * Load the signature from the given path into the provided struct. - * @param sigfile the signature to attempt to load - * @param pgpsig the struct to place the data in - * - * @return 0 on success, 1 on file not found, -1 on error - */ -int _alpm_load_signature(const char *file, pmpgpsig_t *pgpsig) { - struct stat st; - char *sigfile; - int ret = -1; - - /* look around for a PGP signature file; load if available */ - MALLOC(sigfile, strlen(file) + 5, RET_ERR(PM_ERR_MEMORY, -1)); - sprintf(sigfile, "%s.sig", file); - - if(access(sigfile, R_OK) == 0 && stat(sigfile, &st) == 0) { - FILE *f; - size_t bytes_read; - - if(st.st_size > 4096 || (f = fopen(sigfile, "rb")) == NULL) { - free(sigfile); - return ret; - } - CALLOC(pgpsig->data, st.st_size, sizeof(unsigned char), - RET_ERR(PM_ERR_MEMORY, -1)); - bytes_read = fread(pgpsig->data, sizeof(char), st.st_size, f); - if(bytes_read == (size_t)st.st_size) { - pgpsig->len = bytes_read; - _alpm_log(PM_LOG_DEBUG, "loaded gpg signature file, location %s\n", - sigfile); - ret = 0; - } else { - _alpm_log(PM_LOG_WARNING, _("Failed reading PGP signature file %s"), - sigfile); - FREE(pgpsig->data); - } - - fclose(f); - } else { - _alpm_log(PM_LOG_DEBUG, "signature file %s not found\n", sigfile); - /* not fatal...we return a different error code here */ - ret = 1; - } - - free(sigfile); - return ret; -} - -/** * Determines the necessity of checking for a valid PGP signature * @param db the sync database to query * @@ -271,7 +248,7 @@ pgp_verify_t _alpm_db_get_sigverify_level(pmdb_t *db) } /** - * Check the PGP package signature for the given package file. + * Check the PGP signature for the given package file. * @param pkg the package to check * @return a int value : 0 (valid), 1 (invalid), -1 (an error occurred) */ @@ -285,7 +262,7 @@ int SYMEXPORT alpm_pkg_check_pgp_signature(pmpkg_t *pkg) } /** - * Check the PGP package signature for the given database. + * Check the PGP signature for the given database. * @param db the database to check * @return a int value : 0 (valid), 1 (invalid), -1 (an error occurred) */ @@ -294,8 +271,7 @@ int SYMEXPORT alpm_db_check_pgp_signature(pmdb_t *db) ALPM_LOG_FUNC; ASSERT(db != NULL, return 0); - return _alpm_gpgme_checksig(_alpm_db_path(db), - _alpm_db_pgpsig(db)); + return _alpm_gpgme_checksig(_alpm_db_path(db), NULL); } /* vim: set ts=2 sw=2 noet: */ diff --git a/lib/libalpm/signing.h b/lib/libalpm/signing.h index a378fa5..5976cf2 100644 --- a/lib/libalpm/signing.h +++ b/lib/libalpm/signing.h @@ -32,7 +32,6 @@ struct __pmpgpsig_t { }; int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig); -int _alpm_load_signature(const char *sigfile, pmpgpsig_t *pgpsig); pgp_verify_t _alpm_db_get_sigverify_level(pmdb_t *db); #endif /* _ALPM_SIGNING_H */ -- 1.7.4.4

1 5

[pacman-dev] [PATCH] Make dump_pkg_full a little less insane
by Dan McGee 22 Apr '11

22 Apr '11

The various "level" values were a bit crazy to decipher, and we were doing some very interesting comparisons in certain places. Break it out into two parameters instead so we can seperate the type from the extra information display, and do things accordingly. Nothing changes with the display of any of the five types we currently show: -Si, -Sii, -Qi, -Qii, -Qip. Something to note- we should expose the PKG_FROM enum type somehow, this patch leaves the door open to do that quite easily. Signed-off-by: Dan McGee <dan(a)archlinux.org> --- This one seems a bit out of the blue, but it makes more sense if I explain that I was working at getting a "Signature:" sign for -Qip output and didn't feel like adding another blasted level comparison that was hard to digest. The downside here is the enum addition to package.h- I'd be glad to either amend this one or submit a second patch moving those constants from private to public, as well as adding a package method to access that field (but not set it) from the frontend. I was surprised to see we don't have use for "where is this package from" in many other places. lib/libalpm/alpm.h | 4 ++-- src/pacman/package.c | 50 ++++++++++++++++++++------------------------------ src/pacman/package.h | 10 ++++++++-- src/pacman/query.c | 5 ++--- src/pacman/sync.c | 7 ++++--- 5 files changed, 36 insertions(+), 40 deletions(-) diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index e095148..6818cb2 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -567,9 +567,9 @@ alpm_list_t *alpm_pkg_get_files(pmpkg_t *pkg); */ alpm_list_t *alpm_pkg_get_backup(pmpkg_t *pkg); -/** Returns the database containing pkg +/** Returns the database containing pkg. * Returns a pointer to the pmdb_t structure the package is - * originating from, or NULL is the package was loaded from a file. + * originating from, or NULL if the package was loaded from a file. * @param pkg a pointer to package * @return a pointer to the DB containing pkg, or NULL. */ diff --git a/src/pacman/package.c b/src/pacman/package.c index 346d312..335b8b6 100644 --- a/src/pacman/package.c +++ b/src/pacman/package.c @@ -36,16 +36,15 @@ #define CLBUF_SIZE 4096 -/* Display the content of a package - * - * levels: - * <-1 - sync package, extra information (required by) [-Sii] - * -1 - sync package, normal level [-Si] - * =0 - file query [-Qip] - * 1 - localdb query, normal level [-Qi] - * >1 - localdb query, extra information (backup files) [-Qii] +/** + * Display the details of a package. + * Extra information entails 'required by' info for sync packages and backup + * files info for local packages. + * @param pkg package to display information for + * @param from the type of package we are dealing with + * @param extra should we show extra information */ -void dump_pkg_full(pmpkg_t *pkg, int level) +void dump_pkg_full(pmpkg_t *pkg, enum pkg_from from, int extra) { const char *reason; time_t bdate, idate; @@ -87,12 +86,16 @@ void dump_pkg_full(pmpkg_t *pkg, int level) depstrings = alpm_list_add(depstrings, alpm_dep_compute_string(dep)); } - if(level > 0 || level < -1) { + if(extra || from == PKG_FROM_LOCALDB) { /* compute this here so we don't get a pause in the middle of output */ requiredby = alpm_pkg_compute_requiredby(pkg); } /* actual output */ + if(from == PKG_FROM_SYNCDB) { + string_display(_("Repository :"), + alpm_db_get_name(alpm_pkg_get_db(pkg))); + } string_display(_("Name :"), alpm_pkg_get_name(pkg)); string_display(_("Version :"), alpm_pkg_get_version(pkg)); string_display(_("URL :"), alpm_pkg_get_url(pkg)); @@ -101,16 +104,16 @@ void dump_pkg_full(pmpkg_t *pkg, int level) list_display(_("Provides :"), alpm_pkg_get_provides(pkg)); list_display(_("Depends On :"), depstrings); list_display_linebreak(_("Optional Deps :"), alpm_pkg_get_optdepends(pkg)); - if(level > 0 || level < -1) { + if(extra || from == PKG_FROM_LOCALDB) { list_display(_("Required By :"), requiredby); } list_display(_("Conflicts With :"), alpm_pkg_get_conflicts(pkg)); list_display(_("Replaces :"), alpm_pkg_get_replaces(pkg)); size = humanize_size(alpm_pkg_get_size(pkg), 'K', 1, &label); - if(level < 0) { + if(from == PKG_FROM_SYNCDB) { printf(_("Download Size : %6.2f %s\n"), size, label); - } else if(level == 0) { + } else if(from == PKG_FROM_FILE) { printf(_("Compressed Size: %6.2f %s\n"), size, label); } @@ -120,23 +123,22 @@ void dump_pkg_full(pmpkg_t *pkg, int level) string_display(_("Packager :"), alpm_pkg_get_packager(pkg)); string_display(_("Architecture :"), alpm_pkg_get_arch(pkg)); string_display(_("Build Date :"), bdatestr); - if(level > 0) { + if(from == PKG_FROM_LOCALDB) { string_display(_("Install Date :"), idatestr); string_display(_("Install Reason :"), reason); } - if(level >= 0) { + if(from == PKG_FROM_FILE || from == PKG_FROM_LOCALDB) { string_display(_("Install Script :"), alpm_pkg_has_scriptlet(pkg) ? _("Yes") : _("No")); } - /* MD5 Sum for sync package */ - if(level < 0) { + if(from == PKG_FROM_SYNCDB) { string_display(_("MD5 Sum :"), alpm_pkg_get_md5sum(pkg)); } string_display(_("Description :"), alpm_pkg_get_desc(pkg)); /* Print additional package info if info flag passed more than once */ - if(level > 1) { + if(from == PKG_FROM_LOCALDB && extra) { dump_pkg_backups(pkg); } @@ -147,18 +149,6 @@ void dump_pkg_full(pmpkg_t *pkg, int level) FREELIST(requiredby); } -/* Display the content of a sync package - */ -void dump_pkg_sync(pmpkg_t *pkg, const char *treename, int level) -{ - if(pkg == NULL) { - return; - } - string_display(_("Repository :"), treename); - /* invert the level since we are a sync package */ - dump_pkg_full(pkg, -level); -} - static const char *get_backup_file_status(const char *root, const char *filename, const char *expected_md5) { diff --git a/src/pacman/package.h b/src/pacman/package.h index 26333c5..7a5e585 100644 --- a/src/pacman/package.h +++ b/src/pacman/package.h @@ -22,8 +22,14 @@ #include <alpm.h> -void dump_pkg_full(pmpkg_t *pkg, int level); -void dump_pkg_sync(pmpkg_t *pkg, const char *treename, int level); +/* TODO it would be nice if we didn't duplicate a backend type */ +enum pkg_from { + PKG_FROM_FILE = 1, + PKG_FROM_LOCALDB, + PKG_FROM_SYNCDB +}; + +void dump_pkg_full(pmpkg_t *pkg, enum pkg_from from, int extra); void dump_pkg_backups(pmpkg_t *pkg); void dump_pkg_files(pmpkg_t *pkg, int quiet); diff --git a/src/pacman/query.c b/src/pacman/query.c index a3546ba..eaf3b9e 100644 --- a/src/pacman/query.c +++ b/src/pacman/query.c @@ -450,10 +450,9 @@ static int display(pmpkg_t *pkg) if(config->op_q_info) { if(config->op_q_isfile) { - /* omit info that isn't applicable for a file package */ - dump_pkg_full(pkg, 0); + dump_pkg_full(pkg, PKG_FROM_FILE, 0); } else { - dump_pkg_full(pkg, config->op_q_info); + dump_pkg_full(pkg, PKG_FROM_LOCALDB, config->op_q_info > 1); } } if(config->op_q_list) { diff --git a/src/pacman/sync.c b/src/pacman/sync.c index 64d8cb0..5529288 100644 --- a/src/pacman/sync.c +++ b/src/pacman/sync.c @@ -465,7 +465,7 @@ static int sync_info(alpm_list_t *syncs, alpm_list_t *targets) pmpkg_t *pkg = alpm_list_getdata(k); if(strcmp(alpm_pkg_get_name(pkg), pkgstr) == 0) { - dump_pkg_sync(pkg, alpm_db_get_name(db), config->op_s_info); + dump_pkg_full(pkg, PKG_FROM_SYNCDB, config->op_s_info > 1); foundpkg = 1; break; } @@ -486,7 +486,7 @@ static int sync_info(alpm_list_t *syncs, alpm_list_t *targets) pmpkg_t *pkg = alpm_list_getdata(k); if(strcmp(alpm_pkg_get_name(pkg), pkgstr) == 0) { - dump_pkg_sync(pkg, alpm_db_get_name(db), config->op_s_info); + dump_pkg_full(pkg, PKG_FROM_SYNCDB, config->op_s_info > 1); foundpkg = 1; break; } @@ -504,7 +504,8 @@ static int sync_info(alpm_list_t *syncs, alpm_list_t *targets) pmdb_t *db = alpm_list_getdata(i); for(j = alpm_db_get_pkgcache(db); j; j = alpm_list_next(j)) { - dump_pkg_sync(alpm_list_getdata(j), alpm_db_get_name(db), config->op_s_info); + pmpkg_t *pkg = alpm_list_getdata(j); + dump_pkg_full(pkg, PKG_FROM_SYNCDB, config->op_s_info > 1); } } } -- 1.7.4.4

1 0

[pacman-dev] [PATCH 0/4] Add signature check for local packages
by Rémy Oudompheng 22 Apr '11

22 Apr '11

Packages added from local files are not checked currently. These patches also introduce changes in the handling of PM_PGP_VERIFY_UNKNOWN that are not really convincing. We could skip these changes and just apply the other patches, however we should probably give some thoughts about that. Making the check level into an argument of the check function could also be an option. Rémy Oudompheng (4): sync.c: remove duplicated code for integrity check failures handle.c: force sigverify level not to be PM_PGP_VERIFY_UNKNOWN sync.c: remove unnecessary check for PM_PGP_VERIFY_UNKNOWN sync.c: also check signatures for packages loaded from files lib/libalpm/handle.c | 1 + lib/libalpm/sync.c | 58 +++++++++++++++++++++++++------------------------- 2 files changed, 30 insertions(+), 29 deletions(-) -- 1.7.4.4

2 6

[pacman-dev] [PATCH 1/7] makepkg, pacman-key: unify help message with other scripts
by ivan.kanak＠gmail.com 21 Apr '11

21 Apr '11

From: Ivan Kanakarakis <ivan.kanak(a)gmail.com> The help message changed to match the one rankmirrors script has. It's clearer as to what the --help switch does. Signed-off-by: Ivan Kanakarakis <ivan.kanak(a)gmail.com> --- scripts/makepkg.sh.in | 2 +- scripts/pacman-key.sh.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 70d3cf3..3d5184a 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1607,7 +1607,7 @@ usage() { echo "$(gettext " -e, --noextract Do not extract source files (use existing src/ dir)")" echo "$(gettext " -f, --force Overwrite existing package")" echo "$(gettext " -g, --geninteg Generate integrity checks for source files")" - echo "$(gettext " -h, --help This help")" + echo "$(gettext " -h, --help Show this help message and exit")" echo "$(gettext " -i, --install Install package after successful build")" echo "$(gettext " -L, --log Log package build process")" echo "$(gettext " -m, --nocolor Disable colorized output messages")" diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 89e52fc..82268c9 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -63,7 +63,7 @@ usage() { echo "$(gettext " -d, --del <keyid(s)> Remove the specified keyids")" echo "$(gettext " -e, --export <keyid(s)> Export the specified keyids")" echo "$(gettext " -f, --finger [<keyid(s)>] List fingerprint for specified or all keyids")" - echo "$(gettext " -h, --help This help")" + echo "$(gettext " -h, --help Show this help message and exit")" echo "$(gettext " -l, --list List keys")" echo "$(gettext " -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")" echo "$(gettext " -t, --trust <keyid(s)> Set the trust level of the given keyids")" -- 1.7.4.4

3 15