On 18/7/19 6:06 am, Jonas Witschel wrote:
We assume that the packager is of the form "Example Name <email@address.invalid>" and that the key used to sign the package can be resolved using WKD with this address. This means that the package signing key should have one user ID with the given email address, which does not need to be a valid address, but needs to be published in the WKD.
Signed-off-by: Jonas Witschel <diabonas@gmx.de> --- lib/libalpm/sync.c | 9 +++++++-- lib/libalpm/util.c | 23 +++++++++++++++++++++++ lib/libalpm/util.h | 1 + 3 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index efad77ba..02acdf6d 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -872,6 +872,7 @@ static int check_keyring(alpm_handle_t *handle) size_t current = 0, numtargs; alpm_list_t *i, *errors = NULL; alpm_event_t event; + char *email;
event.type = ALPM_EVENT_KEYRING_START; EVENT(handle, &event); @@ -905,6 +906,8 @@ static int check_keyring(alpm_handle_t *handle) char *key = k->data; if(!alpm_list_find_str(errors, key) && _alpm_key_in_keychain(handle, key) == 0) { + _alpm_email_from_uid(pkg->packager, &email); + errors = alpm_list_add(errors, email); errors = alpm_list_add(errors, strdup(key));
I don't like this. Storing two strings as adjacent items in the list. I'd prefer a small two item struct. Any other opinions on this? <snip>
} diff --git a/lib/libalpm/util.c b/lib/libalpm/util.c index d33eef2a..2089f84d 100644 --- a/lib/libalpm/util.c +++ b/lib/libalpm/util.c @@ -1491,3 +1491,26 @@ void _alpm_alloc_fail(size_t size) { fprintf(stderr, "alloc failure: could not allocate %zu bytes\n", size); } + +/** Extract the email address from a User ID + * @param uid User ID to parse in the form "Example Name <email@address.invalid>" + * @param email to hold email address + * @return 0 on success, -1 on error + */ +int _alpm_email_from_uid(const char *uid, char **email) +{ + char *start, *end; + + start = strrchr(uid, '<');
This makes a strong assumption that "<" is not used within an email address. The use of that character is technically valid, provided it is quoted. I am happy with that assumption, but we need to add a check in libmakpkeg to reject emails containing it. In fact, our PACKAGER variable has no enforced format at all...
+ if(start) { + end = strrchr(start, '>'); + } + + if(start && end) { + STRNDUP(*email, start+1, end-start-1, return -1); + return 0; + } else { + email = NULL; + return -1; + } +} diff --git a/lib/libalpm/util.h b/lib/libalpm/util.h index 9a3942f1..1190f10f 100644 --- a/lib/libalpm/util.h +++ b/lib/libalpm/util.h @@ -147,6 +147,7 @@ int _alpm_fnmatch_patterns(alpm_list_t *patterns, const char *string); int _alpm_fnmatch(const void *pattern, const void *string); void *_alpm_realloc(void **data, size_t *current, const size_t required); void *_alpm_greedy_grow(void **data, size_t *current, const size_t required); +int _alpm_email_from_uid(const char *uid, char **email);
Rename to: _alpm_email_from_packager()
#ifndef HAVE_STRSEP char *strsep(char **, const char *); -- 2.22.0 .