On Mon, Oct 06, 2014 at 01:00:38PM +0200, Christian Hesse wrote:

From: Christian Hesse <mail@eworm.de>

If download server is dynamic mirror chances are that db file download and db file signature download are redirected to different mirrors, resulting in invalid signature. This uses effective URL for db file signature download and makes the files always match.

Signed-off-by: Christian Hesse <mail@eworm.de> --- lib/libalpm/be_sync.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index b03d273..6572a8a 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -209,6 +209,7 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) }

for(i = db->servers; i; i = i->next) { + char *final_db_url = NULL; const char *server = i->data; struct dload_payload payload; size_t len; @@ -228,7 +229,7 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) payload.force = force; payload.unlink_on_fail = 1;

- ret = _alpm_download(&payload, syncpath, NULL, NULL); + ret = _alpm_download(&payload, syncpath, NULL, &final_db_url); _alpm_dload_payload_reset(&payload);

if(ret == 0 && (level & ALPM_SIG_DATABASE)) { @@ -242,11 +243,11 @@ int SYMEXPORT alpm_db_update(int force, alpm_db_t *db) free(sigpath);

/* if we downloaded a DB, we want the .sig from the same server */ - /* print server + filename into a buffer (leave space for .sig) */ - len = strlen(server) + strlen(db->treename) + 9; + /* print final_db_url into a buffer (leave space for .sig) */ + len = strlen(final_db_url) + 5; /* TODO fix leak syncpath and umask unset */ MALLOC(payload.fileurl, len, RET_ERR(handle, ALPM_ERR_MEMORY, -1)); - snprintf(payload.fileurl, len, "%s/%s.db.sig", server, db->treename); + snprintf(payload.fileurl, len, "%s.sig", final_db_url);

final_db_url leaks here. You need to free it. Patch looks fine, otherwise.

payload.handle = handle; payload.force = 1; payload.errors_ok = (level & ALPM_SIG_DATABASE_OPTIONAL); -- 2.1.2