[pacman-dev] [PATCH 0/4] Make gpgme optional

newer
[pacman-dev] [GIT] The official...

older
[pacman-dev] [PATCH 0/3] Signature...

Rémy Oudompheng

10 Apr 2011 10 Apr '11

11:37 a.m.

These patches (partially already submitted before) make linking with gpgme optional, and also implement a configuration option for pacman to use an external tool for signature checking. The given example is "gpg --verify - $filename", but "/bin/true" could be used to totally bypass checking. To apply on branch 'master', after the previously posted patch set. Rémy Oudompheng (4): handle: define a new callback for signature check signing: make gpgme optional and default to user callback pacman: add a configuration key for signature checking command pacman: implement signature check callback using an external command configure.ac | 19 ++++++++++- etc/pacman.conf.in | 1 + lib/libalpm/alpm.h | 12 +++++++ lib/libalpm/error.c | 2 + lib/libalpm/handle.c | 13 ++++++++ lib/libalpm/handle.h | 1 + lib/libalpm/signing.c | 33 +++++++++++++++++++-- lib/libalpm/signing.h | 2 +- lib/libalpm/sync.c | 6 ++- src/pacman/callback.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++++ src/pacman/callback.h | 3 ++ src/pacman/conf.h | 1 + src/pacman/pacman.c | 4 ++ 13 files changed, 167 insertions(+), 8 deletions(-) -- 1.7.4.4

Show replies by date

Rémy Oudompheng

10 Apr 10 Apr

11:38 a.m.

New subject: [pacman-dev] [PATCH 1/4] handle: define a new callback for signature check

This callback will make possible the use of an external tool to check signatures. Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- lib/libalpm/alpm.h | 12 ++++++++++++ lib/libalpm/error.c | 2 ++ lib/libalpm/handle.c | 13 +++++++++++++ lib/libalpm/handle.h | 1 + 4 files changed, 28 insertions(+), 0 deletions(-) diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index 1777bf2..7979e9f 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -99,6 +99,13 @@ typedef void (*alpm_cb_totaldl)(off_t total); typedef int (*alpm_cb_fetch)(const char *url, const char *localpath, int force); +/** A callback for checking signatures. + * @param path the path of the signed file + * @param sig the signature to check + * @return an int value : 0 (valid), 1 (invalid), -1 (an error occured) + */ +typedef int (*alpm_cb_checksig)(const char *path, const pmpgpsig_t *sig); + /** Fetch a remote pkg. * @param url URL of the package to download * @return the downloaded filepath on success, NULL on error @@ -128,6 +135,10 @@ void alpm_option_set_fetchcb(alpm_cb_fetch cb); alpm_cb_totaldl alpm_option_get_totaldlcb(void); void alpm_option_set_totaldlcb(alpm_cb_totaldl cb); +/** Get/set the signature checking callback. */ +alpm_cb_checksig alpm_option_get_checksigcb(void); +int alpm_option_set_checksigcb(alpm_cb_checksig cb); + /** Get/set the root of the destination filesystem. */ const char *alpm_option_get_root(void); int alpm_option_set_root(const char *root); @@ -942,6 +953,7 @@ enum _pmerrno_t { PM_ERR_LIBARCHIVE, PM_ERR_LIBCURL, PM_ERR_EXTERNAL_DOWNLOAD, + PM_ERR_EXTERNAL_SIGCHECK, PM_ERR_GPGME }; diff --git a/lib/libalpm/error.c b/lib/libalpm/error.c index 4d4a065..839ecc3 100644 --- a/lib/libalpm/error.c +++ b/lib/libalpm/error.c @@ -158,6 +158,8 @@ const char SYMEXPORT *alpm_strerror(int err) return _("gpgme error"); case PM_ERR_EXTERNAL_DOWNLOAD: return _("error invoking external downloader"); + case PM_ERR_EXTERNAL_SIGCHECK: + return _("error invoking external signature check"); /* Unknown error! */ default: return _("unexpected error"); diff --git a/lib/libalpm/handle.c b/lib/libalpm/handle.c index fd40f19..da5309d 100644 --- a/lib/libalpm/handle.c +++ b/lib/libalpm/handle.c @@ -130,6 +130,12 @@ alpm_cb_totaldl SYMEXPORT alpm_option_get_totaldlcb() return handle->totaldlcb; } +alpm_cb_checksig SYMEXPORT alpm_option_get_checksigcb() +{ + ASSERT(handle != NULL, RET_ERR(PM_ERR_HANDLE_NULL, NULL)); + return handle->checksigcb; +} + const char SYMEXPORT *alpm_option_get_root() { if (handle == NULL) { @@ -310,6 +316,13 @@ void SYMEXPORT alpm_option_set_totaldlcb(alpm_cb_totaldl cb) handle->totaldlcb = cb; } +int SYMEXPORT alpm_option_set_checksigcb(alpm_cb_checksig cb) +{ + ASSERT(handle != NULL, RET_ERR(PM_ERR_HANDLE_NULL, -1)); + handle->checksigcb = cb; + return 0; +} + int SYMEXPORT alpm_option_set_root(const char *root) { struct stat st; diff --git a/lib/libalpm/handle.h b/lib/libalpm/handle.h index cf192bc..2f2e5d2 100644 --- a/lib/libalpm/handle.h +++ b/lib/libalpm/handle.h @@ -52,6 +52,7 @@ typedef struct _pmhandle_t { alpm_cb_download dlcb; /* Download callback function */ alpm_cb_totaldl totaldlcb; /* Total download callback function */ alpm_cb_fetch fetchcb; /* Download file callback function */ + alpm_cb_checksig checksigcb; /* Signature check callback function */ /* filesystem paths */ char *root; /* Root path, default '/' */ -- 1.7.4.4

Dan McGee

11 Apr 11 Apr

7:01 p.m.

New subject: [pacman-dev] [PATCH 1/4] handle: define a new callback for signature check

On Sun, Apr 10, 2011 at 6:38 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:

...

This callback will make possible the use of an external tool to check signatures.

Signed-off-by: Rémy Oudompheng <remy@archlinux.org> -1, rejected as noted in my prior email.

...

--- lib/libalpm/alpm.h | 12 ++++++++++++ lib/libalpm/error.c | 2 ++ lib/libalpm/handle.c | 13 +++++++++++++ lib/libalpm/handle.h | 1 + 4 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index 1777bf2..7979e9f 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -99,6 +99,13 @@ typedef void (*alpm_cb_totaldl)(off_t total); typedef int (*alpm_cb_fetch)(const char *url, const char *localpath, int force);

+/** A callback for checking signatures. + * @param path the path of the signed file + * @param sig the signature to check + * @return an int value : 0 (valid), 1 (invalid), -1 (an error occured) + */ +typedef int (*alpm_cb_checksig)(const char *path, const pmpgpsig_t *sig); + /** Fetch a remote pkg. * @param url URL of the package to download * @return the downloaded filepath on success, NULL on error @@ -128,6 +135,10 @@ void alpm_option_set_fetchcb(alpm_cb_fetch cb); alpm_cb_totaldl alpm_option_get_totaldlcb(void); void alpm_option_set_totaldlcb(alpm_cb_totaldl cb);

+/** Get/set the signature checking callback. */ +alpm_cb_checksig alpm_option_get_checksigcb(void); +int alpm_option_set_checksigcb(alpm_cb_checksig cb); + /** Get/set the root of the destination filesystem. */ const char *alpm_option_get_root(void); int alpm_option_set_root(const char *root); @@ -942,6 +953,7 @@ enum _pmerrno_t { PM_ERR_LIBARCHIVE, PM_ERR_LIBCURL, PM_ERR_EXTERNAL_DOWNLOAD, + PM_ERR_EXTERNAL_SIGCHECK, PM_ERR_GPGME };

diff --git a/lib/libalpm/error.c b/lib/libalpm/error.c index 4d4a065..839ecc3 100644 --- a/lib/libalpm/error.c +++ b/lib/libalpm/error.c @@ -158,6 +158,8 @@ const char SYMEXPORT *alpm_strerror(int err) return _("gpgme error"); case PM_ERR_EXTERNAL_DOWNLOAD: return _("error invoking external downloader"); + case PM_ERR_EXTERNAL_SIGCHECK: + return _("error invoking external signature check"); /* Unknown error! */ default: return _("unexpected error"); diff --git a/lib/libalpm/handle.c b/lib/libalpm/handle.c index fd40f19..da5309d 100644 --- a/lib/libalpm/handle.c +++ b/lib/libalpm/handle.c @@ -130,6 +130,12 @@ alpm_cb_totaldl SYMEXPORT alpm_option_get_totaldlcb() return handle->totaldlcb; }

+alpm_cb_checksig SYMEXPORT alpm_option_get_checksigcb() +{ + ASSERT(handle != NULL, RET_ERR(PM_ERR_HANDLE_NULL, NULL)); + return handle->checksigcb; +} + const char SYMEXPORT *alpm_option_get_root() { if (handle == NULL) { @@ -310,6 +316,13 @@ void SYMEXPORT alpm_option_set_totaldlcb(alpm_cb_totaldl cb) handle->totaldlcb = cb; }

+int SYMEXPORT alpm_option_set_checksigcb(alpm_cb_checksig cb) +{ + ASSERT(handle != NULL, RET_ERR(PM_ERR_HANDLE_NULL, -1)); + handle->checksigcb = cb; + return 0; +} + int SYMEXPORT alpm_option_set_root(const char *root) { struct stat st; diff --git a/lib/libalpm/handle.h b/lib/libalpm/handle.h index cf192bc..2f2e5d2 100644 --- a/lib/libalpm/handle.h +++ b/lib/libalpm/handle.h @@ -52,6 +52,7 @@ typedef struct _pmhandle_t { alpm_cb_download dlcb; /* Download callback function */ alpm_cb_totaldl totaldlcb; /* Total download callback function */ alpm_cb_fetch fetchcb; /* Download file callback function */ + alpm_cb_checksig checksigcb; /* Signature check callback function */

/* filesystem paths */ char *root; /* Root path, default '/' */ -- 1.7.4.4

Rémy Oudompheng

10 Apr 10 Apr

11:38 a.m.

New subject: [pacman-dev] [PATCH 2/4] signing: make gpgme optional and default to user callback

This makes it possible to compile libalpm without the gpgme library. This option is reflected in the configure script. Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- configure.ac | 19 +++++++++++++++++-- lib/libalpm/signing.c | 33 ++++++++++++++++++++++++++++++--- lib/libalpm/signing.h | 2 +- lib/libalpm/sync.c | 6 ++++-- 4 files changed, 52 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index 9fb9cb0..ef48f86 100644 --- a/configure.ac +++ b/configure.ac @@ -93,6 +93,11 @@ AC_ARG_WITH(openssl, AS_HELP_STRING([--with-openssl], [use OpenSSL crypto implementations instead of internal routines]), [], [with_openssl=check]) +# Help line for using GPGME +AC_ARG_WITH(gpgme, + AS_HELP_STRING([--with-gpgme], [use GPGME for signature checking]), + [], [with_gpgme=check]) + # Check for useable libcurl LIBCURL_CHECK_CONFIG([yes], [7.19.4]) @@ -151,8 +156,17 @@ AS_IF([test "x$with_openssl" != "xno"], AM_CONDITIONAL([HAVE_LIBSSL], [test "x$ac_cv_lib_ssl_MD5_Final" = "xyes"]) # Check for gpgme -AC_CHECK_LIB([gpgme], [gpgme_check_version], , - AC_MSG_ERROR([gpgme is needed to compile pacman!])) +AC_MSG_CHECKING(whether to enable gpgme) +AS_IF([test "x$with_gpgme" != "xno"], + [AC_MSG_RESULT(yes) + AC_CHECK_LIB([gpgme], [gpgme_check_version], , + [if test "x$with_gpgme" != "xcheck"; then + AC_MSG_FAILURE([--with-gpgme was given, but -lgpgme was not found]) + fi], + [-lgpgme])] + with_gpgme=$ac_cv_lib_gpgme_gpgme_check_version, + AC_MSG_RESULT(no)) +AM_CONDITIONAL([HAVE_LIBGPGME], [test "x$ac_cv_lib_gpgme_gpgme_check_version" = "xyes"]) # Checks for header files. AC_CHECK_HEADERS([fcntl.h glob.h libintl.h locale.h mntent.h string.h \ @@ -406,6 +420,7 @@ ${PACKAGE_NAME}: Compilation options: Run make in doc/ dir : ${wantdoc} ${asciidoc} Doxygen support : ${usedoxygen} + GPGME support : ${with_gpgme} debug support : ${debug} " diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index cc4b89f..4f86177 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -23,19 +23,24 @@ #include <stdio.h> #include <string.h> #include <locale.h> /* setlocale() */ + +#ifdef HAVE_LIBGPGME #include <gpgme.h> +#endif /* libalpm */ #include "signing.h" #include "package.h" #include "util.h" #include "log.h" +#include "handle.h" #include "alpm.h" #define CHECK_ERR(void) do { \ if(err != GPG_ERR_NO_ERROR) { goto error; } \ } while(0) +#ifdef HAVE_LIBGPGME static int gpgme_init(void) { static int init = 0; @@ -97,7 +102,7 @@ error: * @param sig PGP signature data in raw form (already decoded) * @return a int value : 0 (valid), 1 (invalid), -1 (an error occured) */ -int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) +static int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) { int ret = 0; gpgme_error_t err; @@ -202,6 +207,7 @@ error: } return ret; } +#endif /** * Load the signature from the given path into the provided struct. @@ -248,6 +254,27 @@ int _alpm_load_signature(const char *sigfile, pmpgpsig_t *pgpsig) { return 0; } +/** Check the PGP signature for an arbitrary file. + * This function redirects to the standard gpgme checking + * function or a user-defined external callback. + */ +int _alpm_file_checksig(const char *path, const pmpgpsig_t *sig) +{ + if(handle->checksigcb == NULL) { +#ifdef HAVE_LIBGPGME + return _alpm_gpgme_checksig(path, sig); +#else + RET_ERR(PM_ERR_EXTERNAL_SIGCHECK, -1); +#endif + } else { + int ret = handle->checksigcb(path, sig); + if(ret == -1) { + RET_ERR(PM_ERR_EXTERNAL_SIGCHECK, -1); + } + return ret; + } +} + /** * Check the PGP package signature for the given package file. * @param pkg the package to check @@ -258,7 +285,7 @@ int SYMEXPORT alpm_pkg_check_pgp_signature(pmpkg_t *pkg) ALPM_LOG_FUNC; ASSERT(pkg != NULL, return 0); - return _alpm_gpgme_checksig(alpm_pkg_get_filename(pkg), + return _alpm_file_checksig(alpm_pkg_get_filename(pkg), alpm_pkg_get_pgpsig(pkg)); } @@ -272,7 +299,7 @@ int SYMEXPORT alpm_db_check_pgp_signature(pmdb_t *db) ALPM_LOG_FUNC; ASSERT(db != NULL, return(0)); - return _alpm_gpgme_checksig(_alpm_db_path(db), + return _alpm_file_checksig(_alpm_db_path(db), _alpm_db_pgpsig(db)); } diff --git a/lib/libalpm/signing.h b/lib/libalpm/signing.h index b37abf0..6781377 100644 --- a/lib/libalpm/signing.h +++ b/lib/libalpm/signing.h @@ -31,7 +31,7 @@ struct __pmpgpsig_t { unsigned char *rawdata; }; -int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig); +int _alpm_file_checksig(const char *path, const pmpgpsig_t *sig); int _alpm_load_signature(const char *sigfile, pmpgpsig_t *pgpsig); #endif /* _ALPM_SIGNING_H */ diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index a97a67b..7c5759d 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -855,11 +855,12 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) FREE(filepath); continue; } + + /* check PGP signature next */ pmdb_t *sdb = alpm_pkg_get_db(spkg); - if(sdb->pgp_verify != PM_PGP_VERIFY_NEVER) { - int ret = _alpm_gpgme_checksig(filepath, pgpsig); + int ret = _alpm_file_checksig(filepath, pgpsig); if((sdb->pgp_verify == PM_PGP_VERIFY_ALWAYS && ret != 0) || (sdb->pgp_verify == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { errors++; @@ -868,6 +869,7 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) continue; } } + /* load the package file and replace pkgcache entry with it in the target list */ /* TODO: alpm_pkg_get_db() will not work on this target anymore */ _alpm_log(PM_LOG_DEBUG, "replacing pkgcache entry with package file for target %s\n", spkg->name); -- 1.7.4.4

Rémy Oudompheng

11:39 a.m.

New subject: [pacman-dev] [PATCH 3/4] pacman: add a configuration key for signature checking command

Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- etc/pacman.conf.in | 1 + src/pacman/callback.c | 5 +++++ src/pacman/callback.h | 3 +++ src/pacman/conf.h | 1 + src/pacman/pacman.c | 4 ++++ 5 files changed, 14 insertions(+), 0 deletions(-) diff --git a/etc/pacman.conf.in b/etc/pacman.conf.in index 1105db9..3b92351 100644 --- a/etc/pacman.conf.in +++ b/etc/pacman.conf.in @@ -18,6 +18,7 @@ HoldPkg = pacman glibc SyncFirst = pacman #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u #XferCommand = /usr/bin/curl -C - -f %u > %o +#ChecksigCommand = /usr/bin/gpg --verify - %f #CleanMethod = KeepInstalled Architecture = auto diff --git a/src/pacman/callback.c b/src/pacman/callback.c index 08c1cf3..1ff9a47 100644 --- a/src/pacman/callback.c +++ b/src/pacman/callback.c @@ -687,4 +687,9 @@ void cb_log(pmloglevel_t level, const char *fmt, va_list args) } } +/* Callback to check signatures with an external command */ +int cb_checksig(const char *path, const pmpgpsig_t *sig) { + return 0; +} + /* vim: set ts=2 sw=2 noet: */ diff --git a/src/pacman/callback.h b/src/pacman/callback.h index 1109a3b..3e2cfb1 100644 --- a/src/pacman/callback.h +++ b/src/pacman/callback.h @@ -43,6 +43,9 @@ void cb_dl_progress(const char *filename, off_t file_xfered, off_t file_total); /* callback to handle messages/notifications from pacman library */ void cb_log(pmloglevel_t level, const char *fmt, va_list args); +/* callback to check signatures with an external command */ +int cb_checksig(const char *path, const pmpgpsig_t *sig); + #endif /* _PM_CALLBACK_H */ /* vim: set ts=2 sw=2 noet: */ diff --git a/src/pacman/conf.h b/src/pacman/conf.h index bb11bab..9aa8492 100644 --- a/src/pacman/conf.h +++ b/src/pacman/conf.h @@ -78,6 +78,7 @@ typedef struct __config_t { alpm_list_t *holdpkg; alpm_list_t *syncfirst; char *xfercommand; + char *checksigcommand; } config_t; /* Operations */ diff --git a/src/pacman/pacman.c b/src/pacman/pacman.c index 74659c5..9aad3a3 100644 --- a/src/pacman/pacman.c +++ b/src/pacman/pacman.c @@ -1052,6 +1052,10 @@ static int _parse_options(const char *key, char *value, config->xfercommand = strdup(value); alpm_option_set_fetchcb(download_with_xfercommand); pm_printf(PM_LOG_DEBUG, "config: xfercommand: %s\n", value); + } else if (strcmp(key, "ChecksigCommand") == 0) { + config->checksigcommand = strdup(value); + alpm_option_set_checksigcb(cb_checksig); + pm_printf(PM_LOG_DEBUG, "config: checksigcommand: %s\n", value); } else if (strcmp(key, "CleanMethod") == 0) { setrepeatingoption(value, "CleanMethod", option_add_cleanmethod); } else { -- 1.7.4.4

Rémy Oudompheng

11:40 a.m.

New subject: [pacman-dev] [PATCH 4/4] pacman: implement signature check callback using an external command

Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- src/pacman/callback.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 74 insertions(+), 1 deletions(-) diff --git a/src/pacman/callback.c b/src/pacman/callback.c index 1ff9a47..06f161c 100644 --- a/src/pacman/callback.c +++ b/src/pacman/callback.c @@ -25,6 +25,7 @@ #include <string.h> #include <sys/time.h> #include <sys/types.h> /* off_t */ +#include <sys/wait.h> /* waitpid */ #include <unistd.h> #include <wchar.h> @@ -689,7 +690,79 @@ void cb_log(pmloglevel_t level, const char *fmt, va_list args) /* Callback to check signatures with an external command */ int cb_checksig(const char *path, const pmpgpsig_t *sig) { - return 0; + int ret = 0; + int retval; + int childpid; + char *parsedcmd; + int pipefd[2]; + + if(!config->checksigcommand) { + return -1; + } + + parsedcmd = strdup(config->checksigcommand); + /* replace all occurrences of %f with the filename */ + if(strstr(parsedcmd, "%f")) { + char *tempcmd = strreplace(parsedcmd, "%f", path); + free(parsedcmd); + parsedcmd = tempcmd; + } + + /* execute the parsed command via /bin/sh -c */ + pipe(pipefd); + childpid = fork(); + + if (childpid < 0) { + pm_printf(PM_LOG_ERROR, _("running ChecksigCommand: fork failed!\n")); + ret = -1; + goto cleanup; + } else if (childpid == 0) { + /* we are in the child */ + close(pipefd[1]); + /* read from the pipe */ + dup2(pipefd[0], 0); + pm_printf(PM_LOG_DEBUG, "child: running command: %s\n", parsedcmd); + if (execl("/bin/sh", "/bin/sh", "-c", parsedcmd, NULL) == -1) + exit(127); + } else { + /* we are still in pacman */ + close(pipefd[0]); + size_t remaining; + const char *signature = alpm_pgpsig_get_raw(sig, &remaining); + if (! signature) { + close(pipefd[1]); + ret = -1; + goto wait; + } + while(remaining > 0) { + /* write signature into pipe */ + ssize_t written = write(pipefd[1], signature, remaining); + if (written < 0) { + pm_printf(PM_LOG_ERROR, _("running ChecksigCommand: broken pipe!\n")); + ret = -1; + break; + } + signature += written; + remaining -= written; + } + close(pipefd[1]); + } + +wait: + waitpid(childpid, &retval, 0); + + if(!WIFEXITED(retval)) { + /* exited abnormally */ + pm_printf(PM_LOG_DEBUG, "ChecksigCommand exited abnormally " + "status (%d,%d)\n", retval >> 8, retval & 0xff); + ret = -1; + } else { + ret = (WEXITSTATUS(retval) == 0) ? 0 : 1; + } + +cleanup: + free(parsedcmd); + return ret; } /* vim: set ts=2 sw=2 noet: */ -- 1.7.4.4

Dan McGee

11 Apr 11 Apr

7:01 p.m.

On Sun, Apr 10, 2011 at 6:37 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:

...

These patches (partially already submitted before) make linking with gpgme optional, and also implement a configuration option for pacman to use an external tool for signature checking. The given example is "gpg --verify - $filename", but "/bin/true" could be used to totally bypass checking.

You totally misread my TODO item, sorry, and I never intended someone else to do this one but put it on the list in trying to be open about things. :/ I meant nothing about letting an external tool validate signatures; as a matter of fact I am highly against this. I only wanted gpgme and signature checking to be an option that could be omitted when compiling, for instance if someone decided to use this to manage custom packages elsewhere with no intent of sharing publicly, or another OS where gpg is not so readily available. So I will take a look at the first half, but the second half will not be going anywhere. -Dan

Rémy Oudompheng

7:17 p.m.

On 2011/4/11 Dan McGee <dpmcgee@gmail.com> wrote:

...

On Sun, Apr 10, 2011 at 6:37 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:

...
These patches (partially already submitted before) make linking with gpgme optional, and also implement a configuration option for pacman to use an external tool for signature checking. The given example is "gpg --verify - $filename", but "/bin/true" could be used to totally bypass checking.

You totally misread my TODO item, sorry, and I never intended someone else to do this one but put it on the list in trying to be open about things. :/

I meant nothing about letting an external tool validate signatures; as a matter of fact I am highly against this. I only wanted gpgme and signature checking to be an option that could be omitted when compiling, for instance if someone decided to use this to manage custom packages elsewhere with no intent of sharing publicly, or another OS where gpg is not so readily available.

Gah I read "like we do with our download code" which looked exactly like I thought. However, I may understand that you don't want to merge this, even if I found the idea interesting. -- Rémy.

5003

Age (days ago)

5004

Last active (days ago)

List overview

Download

7 comments

2 participants

participants (2)

Dan McGee
Rémy Oudompheng

[pacman-dev] [PATCH 0/4] Make gpgme optional

tags

participants (2)