GPG signatures have a timestamp which is checked and if it's in the future, verification will fail. Signed-off-by: Florian Pritz <bluewind@xinu.at> --- Allan suggested to improve the error message printed when verification fails, but since I already have this patch I can just as well submit it. lib/libalpm/signing.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 1e41716..6148976 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -20,6 +20,8 @@ #include <stdlib.h> #include <stdio.h> #include <string.h> +#include <time.h> +#include <errno.h> #if HAVE_LIBGPGME #include <locale.h> /* setlocale() */ @@ -127,6 +129,10 @@ static int init_gpgme(alpm_handle_t *handle) gpgme_error_t err; gpgme_engine_info_t enginfo; + const static char *timestamp_file = "timestamp"; + int len; + char *timestamp_path; + if(init) { /* we already successfully initialized the library */ return 0; @@ -143,6 +149,34 @@ static int init_gpgme(alpm_handle_t *handle) "pacman-key --init"); } + len = strlen(sigdir) + strlen(timestamp_file) + 1; + CALLOC(timestamp_path, len, sizeof(char), RET_ERR(handle, ALPM_ERR_MEMORY, -1)); + snprintf(timestamp_path, len, "%s%s", sigdir, timestamp_file); + + /* check if time went backwards since last run */ + if(!_alpm_access(handle, sigdir, timestamp_file, F_OK)) { + struct stat sb; + time_t t; + + if(stat(timestamp_path, &sb) == -1) { + /* TODO: should we really error here? */ + RET_ERR(handle, ALPM_ERR_SYSTEM, -1); + } + + t = time(NULL); + if(t == ((time_t)-1)) { + _alpm_log(handle, ALPM_LOG_ERROR, _("Failed to determine system time: %s\n"), strerror(errno)); + } + + if(sb.st_mtime > t) { + _alpm_log(handle, ALPM_LOG_WARNING, _("Time went backwards, signature verification might fail.\n")); + } + } + /* create file if missing, else update timestamp */ + close(creat(timestamp_path, O_RDWR)); + + free(timestamp_path); + /* calling gpgme_check_version() returns the current version and runs * some internal library setup code */ version = gpgme_check_version(NULL); -- 1.7.11.1