[pacman-dev] [PATCH 0/3] Add --verifylvl option to pacman
This is a reroll of a series to add the --verifylvl option to pacman, taking into account of the recent changes in libalpm. The --verifylvl option can be used to change pacman's signature verification level to one of "always", "optional", or "never". Patch 1/3 changes option_verifysig to accept non-capitalized versions of "Always", "Optional" and "Never". Patch 2/3 adds the --verifylvl to pacman. Patch 3/3 adds the "VerifySig" option to etc/pacman.conf.in Pang Yan Han (3): option_verifysig: Accept non-caps sig levels pacman: Add --verifylvl option etc/pacman.conf.in : Add VerifySig option doc/pacman.8.txt | 7 +++++++ etc/pacman.conf.in | 1 + src/pacman/conf.c | 15 ++++++++++++--- src/pacman/conf.h | 4 +++- src/pacman/pacman.c | 6 ++++++ 5 files changed, 29 insertions(+), 4 deletions(-) -- 1.7.6.rc0
Signed-off-by: Pang Yan Han <pangyanhan@gmail.com> --- src/pacman/conf.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pacman/conf.c b/src/pacman/conf.c index 1ee0444..13707d0 100644 --- a/src/pacman/conf.c +++ b/src/pacman/conf.c @@ -225,11 +225,11 @@ int config_set_arch(const char *arch) static pgp_verify_t option_verifysig(const char *value) { pgp_verify_t level; - if(strcmp(value, "Always") == 0) { + if(strcmp(value, "Always") == 0 || strcmp(value, "always") == 0) { level = PM_PGP_VERIFY_ALWAYS; - } else if(strcmp(value, "Optional") == 0) { + } else if(strcmp(value, "Optional") == 0 || strcmp(value, "optional") == 0) { level = PM_PGP_VERIFY_OPTIONAL; - } else if(strcmp(value, "Never") == 0) { + } else if(strcmp(value, "Never") == 0 || strcmp(value, "never") == 0) { level = PM_PGP_VERIFY_NEVER; } else { level = PM_PGP_VERIFY_UNKNOWN; -- 1.7.6.rc0
The --verifylvl option allows the user to change pacman's signature verification level. It can take in one of "always", "optional", "never", or their capitalized counterparts. Signed-off-by: Pang Yan Han <pangyanhan@gmail.com> --- doc/pacman.8.txt | 7 +++++++ src/pacman/conf.c | 9 +++++++++ src/pacman/conf.h | 4 +++- src/pacman/pacman.c | 6 ++++++ 4 files changed, 25 insertions(+), 1 deletions(-) diff --git a/doc/pacman.8.txt b/doc/pacman.8.txt index 531c992..96f4c12 100644 --- a/doc/pacman.8.txt +++ b/doc/pacman.8.txt @@ -165,6 +165,13 @@ Options Bypass any and all ``Are you sure?'' messages. It's not a good idea to do this unless you want to run pacman from a script. +*\--verifylvl* <level>:: + Sets pacman's signature verification level to <level>. Valid values for level + are "always", "optional", "never" and their capitalized counterparts. This + can be used to override the "VerifySig" option in linkman:pacman.conf[5]. + If an invalid level is given, pacman will fallback to using the level given + in the "VerifySig" option in linkman:pacman.conf[5]. + Transaction Options (apply to '-S', '-R' and '-U') -------------------------------------------------- *-d, \--nodeps*:: diff --git a/src/pacman/conf.c b/src/pacman/conf.c index 13707d0..cf507d9 100644 --- a/src/pacman/conf.c +++ b/src/pacman/conf.c @@ -74,6 +74,7 @@ int config_free(config_t *oldconfig) free(oldconfig->dbpath); free(oldconfig->logfile); free(oldconfig->gpgdir); + free(oldconfig->verifylvl); FREELIST(oldconfig->cachedirs); free(oldconfig->xfercommand); free(oldconfig->print_format); @@ -481,6 +482,14 @@ static int setup_libalpm(void) alpm_option_set_cachedirs(handle, config->cachedirs); } + /* Override signature verification level from command line */ + if(config->verifylvl) { + pgp_verify_t verifylvl = option_verifysig(config->verifylvl); + if(verifylvl != PM_PGP_VERIFY_UNKNOWN) { + config->sigverify = verifylvl; + } + } + if(config->sigverify != PM_PGP_VERIFY_UNKNOWN) { alpm_option_set_default_sigverify(handle, config->sigverify); } diff --git a/src/pacman/conf.h b/src/pacman/conf.h index 4c44bfd..7d98729 100644 --- a/src/pacman/conf.h +++ b/src/pacman/conf.h @@ -45,6 +45,7 @@ typedef struct __config_t { char *dbpath; char *logfile; char *gpgdir; + char *verifylvl; alpm_list_t *cachedirs; unsigned short op_q_isfile; @@ -123,7 +124,8 @@ enum { OP_ASEXPLICIT, OP_ARCH, OP_PRINTFORMAT, - OP_GPGDIR + OP_GPGDIR, + OP_VERIFYLVL }; /* clean method */ diff --git a/src/pacman/pacman.c b/src/pacman/pacman.c index afc79f6..0c200db 100644 --- a/src/pacman/pacman.c +++ b/src/pacman/pacman.c @@ -205,6 +205,8 @@ static void usage(int op, const char * const myname) addlist(_(" --gpgdir <path> set an alternate home directory for GnuPG\n")); addlist(_(" --logfile <path> set an alternate log file\n")); addlist(_(" --noconfirm do not ask for any confirmation\n")); + addlist(_(" --verifylvl <lvl>\n" + " set an alternate signature verification level\n")); } list = alpm_list_msort(list, alpm_list_count(list), options_cmp); for (i = list; i; i = alpm_list_next(i)) { @@ -431,6 +433,9 @@ static int parsearg_global(int opt) config->logfile = strndup(optarg, PATH_MAX); break; case OP_NOCONFIRM: config->noconfirm = 1; break; + case OP_VERIFYLVL: + config->verifylvl = strdup(optarg); + break; case 'b': check_optarg(); config->dbpath = strdup(optarg); @@ -628,6 +633,7 @@ static int parseargs(int argc, char *argv[]) {"arch", required_argument, 0, OP_ARCH}, {"print-format", required_argument, 0, OP_PRINTFORMAT}, {"gpgdir", required_argument, 0, OP_GPGDIR}, + {"verifylvl", required_argument, 0, OP_VERIFYLVL}, {0, 0, 0, 0} }; -- 1.7.6.rc0
Just a heads-up: I proposed a more complex scheme that, if adopted, will require this patch to be revised considerably (I actually sent the damn email a week ago, but due to idiocy on my part and on that of Gmail, I only noticed the problem today). -Kerrick Staley On Sat, Jun 11, 2011 at 11:15 PM, Pang Yan Han <pangyanhan@gmail.com> wrote:
The --verifylvl option allows the user to change pacman's signature verification level. It can take in one of "always", "optional", "never", or their capitalized counterparts.
Signed-off-by: Pang Yan Han <pangyanhan@gmail.com> --- doc/pacman.8.txt | 7 +++++++ src/pacman/conf.c | 9 +++++++++ src/pacman/conf.h | 4 +++- src/pacman/pacman.c | 6 ++++++ 4 files changed, 25 insertions(+), 1 deletions(-)
diff --git a/doc/pacman.8.txt b/doc/pacman.8.txt index 531c992..96f4c12 100644 --- a/doc/pacman.8.txt +++ b/doc/pacman.8.txt @@ -165,6 +165,13 @@ Options Bypass any and all ``Are you sure?'' messages. It's not a good idea to do this unless you want to run pacman from a script.
+*\--verifylvl* <level>:: + Sets pacman's signature verification level to <level>. Valid values for level + are "always", "optional", "never" and their capitalized counterparts. This + can be used to override the "VerifySig" option in linkman:pacman.conf[5]. + If an invalid level is given, pacman will fallback to using the level given + in the "VerifySig" option in linkman:pacman.conf[5]. + Transaction Options (apply to '-S', '-R' and '-U') -------------------------------------------------- *-d, \--nodeps*:: diff --git a/src/pacman/conf.c b/src/pacman/conf.c index 13707d0..cf507d9 100644 --- a/src/pacman/conf.c +++ b/src/pacman/conf.c @@ -74,6 +74,7 @@ int config_free(config_t *oldconfig) free(oldconfig->dbpath); free(oldconfig->logfile); free(oldconfig->gpgdir); + free(oldconfig->verifylvl); FREELIST(oldconfig->cachedirs); free(oldconfig->xfercommand); free(oldconfig->print_format); @@ -481,6 +482,14 @@ static int setup_libalpm(void) alpm_option_set_cachedirs(handle, config->cachedirs); }
+ /* Override signature verification level from command line */ + if(config->verifylvl) { + pgp_verify_t verifylvl = option_verifysig(config->verifylvl); + if(verifylvl != PM_PGP_VERIFY_UNKNOWN) { + config->sigverify = verifylvl; + } + } + if(config->sigverify != PM_PGP_VERIFY_UNKNOWN) { alpm_option_set_default_sigverify(handle, config->sigverify); } diff --git a/src/pacman/conf.h b/src/pacman/conf.h index 4c44bfd..7d98729 100644 --- a/src/pacman/conf.h +++ b/src/pacman/conf.h @@ -45,6 +45,7 @@ typedef struct __config_t { char *dbpath; char *logfile; char *gpgdir; + char *verifylvl; alpm_list_t *cachedirs;
unsigned short op_q_isfile; @@ -123,7 +124,8 @@ enum { OP_ASEXPLICIT, OP_ARCH, OP_PRINTFORMAT, - OP_GPGDIR + OP_GPGDIR, + OP_VERIFYLVL };
/* clean method */ diff --git a/src/pacman/pacman.c b/src/pacman/pacman.c index afc79f6..0c200db 100644 --- a/src/pacman/pacman.c +++ b/src/pacman/pacman.c @@ -205,6 +205,8 @@ static void usage(int op, const char * const myname) addlist(_(" --gpgdir <path> set an alternate home directory for GnuPG\n")); addlist(_(" --logfile <path> set an alternate log file\n")); addlist(_(" --noconfirm do not ask for any confirmation\n")); + addlist(_(" --verifylvl <lvl>\n" + " set an alternate signature verification level\n")); } list = alpm_list_msort(list, alpm_list_count(list), options_cmp); for (i = list; i; i = alpm_list_next(i)) { @@ -431,6 +433,9 @@ static int parsearg_global(int opt) config->logfile = strndup(optarg, PATH_MAX); break; case OP_NOCONFIRM: config->noconfirm = 1; break; + case OP_VERIFYLVL: + config->verifylvl = strdup(optarg); + break; case 'b': check_optarg(); config->dbpath = strdup(optarg); @@ -628,6 +633,7 @@ static int parseargs(int argc, char *argv[]) {"arch", required_argument, 0, OP_ARCH}, {"print-format", required_argument, 0, OP_PRINTFORMAT}, {"gpgdir", required_argument, 0, OP_GPGDIR}, + {"verifylvl", required_argument, 0, OP_VERIFYLVL}, {0, 0, 0, 0} };
-- 1.7.6.rc0
On Sat, Jun 11, 2011 at 11:15 PM, Pang Yan Han <pangyanhan@gmail.com> wrote:
The --verifylvl option allows the user to change pacman's signature verification level. It can take in one of "always", "optional", "never", or their capitalized counterparts.
Signed-off-by: Pang Yan Han <pangyanhan@gmail.com> ---
Now that we have SigLevel fully implemented, do we want/need something like this for a command line override? Perhaps most useful on a -U <file> or -U <url> operation [1]. -Dan [1] Alternatively, do we want/need more granularity on SigLevel? Just as we have an override on a per-database level, it might be wise to have a 'UpgradeSigLevel' top-level option that would default to the global SigLevel setting but could be tweaked to take effect only for -U operations.
On Wed, Aug 31, 2011 at 12:58 AM, Dan McGee <dpmcgee@gmail.com> wrote:
On Sat, Jun 11, 2011 at 11:15 PM, Pang Yan Han <pangyanhan@gmail.com> wrote:
The --verifylvl option allows the user to change pacman's signature verification level. It can take in one of "always", "optional", "never", or their capitalized counterparts.
Signed-off-by: Pang Yan Han <pangyanhan@gmail.com> ---
Now that we have SigLevel fully implemented, do we want/need something like this for a command line override? Perhaps most useful on a -U <file> or -U <url> operation [1].
Hi, yes definitely! But I see that the sig levels are split into package and database levels now.
-Dan
[1] Alternatively, do we want/need more granularity on SigLevel? Just as we have an override on a per-database level, it might be wise to have a 'UpgradeSigLevel' top-level option that would default to the global SigLevel setting but could be tweaked to take effect only for -U operations.
Personally, I think that the current sig levels are quite fine grained. Just curious, why only for -U? Thanks.
Signed-off-by: Pang Yan Han <pangyanhan@gmail.com> --- etc/pacman.conf.in | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/etc/pacman.conf.in b/etc/pacman.conf.in index 1d49fd7..86d61ca 100644 --- a/etc/pacman.conf.in +++ b/etc/pacman.conf.in @@ -14,6 +14,7 @@ #CacheDir = @localstatedir@/cache/pacman/pkg/ #LogFile = @localstatedir@/log/pacman.log #GPGDir = @sysconfdir@/pacman.d/gnupg/ +#VerifySig = Optional HoldPkg = pacman glibc # If upgrades are available for these packages they will be asked for first SyncFirst = pacman -- 1.7.6.rc0
participants (3)
-
Dan McGee
-
Kerrick Staley
-
Pang Yan Han