These patches will add VerifySig option to pacman.conf. VerifySig takes options Always, Optional or Never [repo-name] Server = ServerName VerifySig = Always Include = IncludePath
From 77be2c5cbfa3c7a750fe46d115c23096d2cf51e5 Mon Sep 17 00:00:00 2001 From: shankar <jatheendra@gmail.com> Date: Wed, 17 Dec 2008 20:52:21 +0530 Subject: [PATCH] changed gpg verification logic
Signed-off-by: shankar <jatheendra@gmail.com> --- lib/libalpm/signing.c | 3 +++ lib/libalpm/sync.c | 26 ++++++++++++++++++++++---- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index ddb89bc..0835b5e 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -166,6 +166,9 @@ pgpcheck_t _alpm_gpgme_checksig(const char *pkgpath, const pmpgpsig_t *sig) if(gpgsig->summary & GPGME_SIGSUM_VALID) { /* good signature, continue */ + ret = PM_PGP_SIG_VALID; + _alpm_log(PM_LOG_DEBUG, _("Package %s has a valid signature.\n"), + pkgpath); } else if(gpgsig->summary & GPGME_SIGSUM_GREEN) { /* 'green' signature, not sure what to do here */ _alpm_log(PM_LOG_WARNING, _("Package %s has a green signature.\n"), diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 24f2b98..f658ae2 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -901,12 +901,30 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) *data = alpm_list_add(*data, strdup(filename)); } /* check PGP signature next */ - if(_alpm_gpgme_checksig(filepath, pgpsig) == PM_PGP_SIG_INVALID) { - errors++; - *data = alpm_list_add(*data, strdup(filename)); + pmdb_t *sdb = alpm_pkg_get_db(spkg); + + if(sdb->verify_gpg == PM_GPG_VERIFY_ALWAYS) { + if(_alpm_gpgme_checksig(filepath, pgpsig) != PM_PGP_SIG_VALID) { + errors++; + *data = alpm_list_add(*data, strdup(filename)); + _alpm_log(PM_LOG_ERROR, _("Invalid GPG signature on package: %s\n"),alpm_pkg_get_name(spkg)); + } + FREE(filepath); + } else if (sdb->verify_gpg == PM_GPG_VERIFY_OPTIONAL) { + pgpcheck_t ret1 = _alpm_gpgme_checksig(filepath, pgpsig); + + if(ret1 == PM_PGP_SIG_MISSING) { + /*no problems here*/ + } else if (ret1 != PM_PGP_SIG_VALID) { + errors++; + *data = alpm_list_add(*data, strdup(filename)); + _alpm_log(PM_LOG_ERROR, _("Invalid GPG signature on package: %s\n"),alpm_pkg_get_name(spkg)); + } + FREE(filepath); } - FREE(filepath); } + + if(errors) { pm_errno = PM_ERR_PKG_INVALID; goto error; -- 1.6.0.4