[pacman-dev] [PATCH 1/6] signing: let GPGME handle loading signatures from files
Rather than go through all the hassle of doing this ourselves, just let GPGME handle the work by passing it a file handle. Signed-off-by: Dan McGee <dan@archlinux.org> --- I applied patches from two years ago that introduced this madness, so it is no wonder I am going back and refactoring and simplifying the old stuff. I see little disadvantage to not manually reading the signature files if we can have the library handle that itself. lib/libalpm/be_package.c | 6 --- lib/libalpm/db.c | 23 ----------- lib/libalpm/db.h | 3 - lib/libalpm/signing.c | 94 +++++++++++++++++----------------------------- lib/libalpm/signing.h | 1 - 5 files changed, 35 insertions(+), 92 deletions(-) diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index 8a6ed6c..6e65c7d 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -243,18 +243,12 @@ static pmpkg_t *pkg_load(const char *pkgfile, int full) /* attempt to stat the package file, ensure it exists */ if(stat(pkgfile, &st) == 0) { - int sig_ret; - newpkg = _alpm_pkg_new(); if(newpkg == NULL) { RET_ERR(PM_ERR_MEMORY, NULL); } newpkg->filename = strdup(pkgfile); newpkg->size = st.st_size; - - /* TODO: do something with ret value */ - sig_ret = _alpm_load_signature(pkgfile, &(newpkg->pgpsig)); - (void)sig_ret; } else { /* couldn't stat the pkgfile, return an error */ RET_ERR(PM_ERR_PKG_OPEN, NULL); diff --git a/lib/libalpm/db.c b/lib/libalpm/db.c index f5e7a25..3d593b3 100644 --- a/lib/libalpm/db.c +++ b/lib/libalpm/db.c @@ -314,27 +314,6 @@ pmdb_t *_alpm_db_new(const char *treename, int is_local) return db; } -const pmpgpsig_t *_alpm_db_pgpsig(pmdb_t *db) -{ - ALPM_LOG_FUNC; - - /* Sanity checks */ - ASSERT(db != NULL, return(NULL)); - - if(db->pgpsig.data == NULL) { - const char *dbfile; - int ret; - - dbfile = _alpm_db_path(db); - - /* TODO: do something with ret value */ - ret = _alpm_load_signature(dbfile, &(db->pgpsig)); - (void)ret; - } - - return &(db->pgpsig); -} - void _alpm_db_free(pmdb_t *db) { ALPM_LOG_FUNC; @@ -343,8 +322,6 @@ void _alpm_db_free(pmdb_t *db) _alpm_db_free_pkgcache(db); /* cleanup server list */ FREELIST(db->servers); - /* only need to free data */ - FREE(db->pgpsig.data); FREE(db->_path); FREE(db->treename); FREE(db); diff --git a/lib/libalpm/db.h b/lib/libalpm/db.h index 204a0be..399e2d5 100644 --- a/lib/libalpm/db.h +++ b/lib/libalpm/db.h @@ -63,8 +63,6 @@ struct __pmdb_t { pmpkghash_t *pkgcache; alpm_list_t *grpcache; alpm_list_t *servers; - /* do not access directly, use _alpm_db_pgpsig(db) for lazy access */ - pmpgpsig_t pgpsig; pgp_verify_t pgp_verify; struct db_operations *ops; @@ -81,7 +79,6 @@ alpm_list_t *_alpm_db_search(pmdb_t *db, const alpm_list_t *needles); pmdb_t *_alpm_db_register_local(void); pmdb_t *_alpm_db_register_sync(const char *treename); void _alpm_db_unregister(pmdb_t *db); -const pmpgpsig_t *_alpm_db_pgpsig(pmdb_t *db); /* be_*.c, backend specific calls */ int _alpm_local_db_read(pmdb_t *db, pmpkg_t *info, pmdbinfrq_t inforeq); diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 9d4fd07..28b7ad9 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -92,9 +92,10 @@ error: } /** - * Check the PGP package signature for the given file. + * Check the PGP signature for the given file. * @param path the full path to a file - * @param sig PGP signature data in raw form (already decoded) + * @param sig PGP signature data in raw form (already decoded); if NULL, expect + * a signature file next to 'path' * @return a int value : 0 (valid), 1 (invalid), -1 (an error occured) */ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) @@ -105,16 +106,28 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) gpgme_data_t filedata, sigdata; gpgme_verify_result_t result; gpgme_signature_t gpgsig; + char *sigpath = NULL; FILE *file = NULL, *sigfile = NULL; ALPM_LOG_FUNC; - if(!sig || !sig->data) { - RET_ERR(PM_ERR_SIG_UNKNOWN, -1); - } if(!path || access(path, R_OK) != 0) { RET_ERR(PM_ERR_NOT_A_FILE, -1); } + + if(!sig) { + size_t len = strlen(path) + 5; + CALLOC(sigpath, len, sizeof(char), RET_ERR(PM_ERR_MEMORY, -1)); + snprintf(sigpath, len, "%s.sig", path); + + if(!access(sigpath, R_OK) == 0) { + FREE(sigpath); + RET_ERR(PM_ERR_SIG_UNKNOWN, -1); + } + } else if(!sig->data) { + RET_ERR(PM_ERR_SIG_UNKNOWN, -1); + } + if(gpgme_init()) { /* pm_errno was set in gpgme_init() */ return -1; @@ -140,7 +153,19 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) CHECK_ERR(); /* next create data object for the signature */ - err = gpgme_data_new_from_mem(&sigdata, (char *)sig->data, sig->len, 0); + if(sig) { + /* memory-based, we loaded it from a sync DB */ + err = gpgme_data_new_from_mem(&sigdata, (char *)sig->data, sig->len, 0); + } else { + /* file-based, it is on disk */ + sigfile = fopen(sigpath, "rb"); + if(sigfile == NULL) { + pm_errno = PM_ERR_NOT_A_FILE; + ret = -1; + goto error; + } + err = gpgme_data_new_from_stream(&sigdata, sigfile); + } CHECK_ERR(); /* here's where the magic happens */ @@ -196,6 +221,7 @@ error: if(file) { fclose(file); } + FREE(sigpath); if(err != GPG_ERR_NO_ERROR) { _alpm_log(PM_LOG_ERROR, _("GPGME error: %s\n"), gpgme_strerror(err)); RET_ERR(PM_ERR_GPGME, -1); @@ -204,55 +230,6 @@ error: } /** - * Load the signature from the given path into the provided struct. - * @param sigfile the signature to attempt to load - * @param pgpsig the struct to place the data in - * - * @return 0 on success, 1 on file not found, -1 on error - */ -int _alpm_load_signature(const char *file, pmpgpsig_t *pgpsig) { - struct stat st; - char *sigfile; - int ret = -1; - - /* look around for a PGP signature file; load if available */ - MALLOC(sigfile, strlen(file) + 5, RET_ERR(PM_ERR_MEMORY, -1)); - sprintf(sigfile, "%s.sig", file); - - if(access(sigfile, R_OK) == 0 && stat(sigfile, &st) == 0) { - FILE *f; - size_t bytes_read; - - if(st.st_size > 4096 || (f = fopen(sigfile, "rb")) == NULL) { - free(sigfile); - return ret; - } - CALLOC(pgpsig->data, st.st_size, sizeof(unsigned char), - RET_ERR(PM_ERR_MEMORY, -1)); - bytes_read = fread(pgpsig->data, sizeof(char), st.st_size, f); - if(bytes_read == (size_t)st.st_size) { - pgpsig->len = bytes_read; - _alpm_log(PM_LOG_DEBUG, "loaded gpg signature file, location %s\n", - sigfile); - ret = 0; - } else { - _alpm_log(PM_LOG_WARNING, _("Failed reading PGP signature file %s"), - sigfile); - FREE(pgpsig->data); - } - - fclose(f); - } else { - _alpm_log(PM_LOG_DEBUG, "signature file %s not found\n", sigfile); - /* not fatal...we return a different error code here */ - ret = 1; - } - - free(sigfile); - return ret; -} - -/** * Determines the necessity of checking for a valid PGP signature * @param db the sync database to query * @@ -271,7 +248,7 @@ pgp_verify_t _alpm_db_get_sigverify_level(pmdb_t *db) } /** - * Check the PGP package signature for the given package file. + * Check the PGP signature for the given package file. * @param pkg the package to check * @return a int value : 0 (valid), 1 (invalid), -1 (an error occurred) */ @@ -285,7 +262,7 @@ int SYMEXPORT alpm_pkg_check_pgp_signature(pmpkg_t *pkg) } /** - * Check the PGP package signature for the given database. + * Check the PGP signature for the given database. * @param db the database to check * @return a int value : 0 (valid), 1 (invalid), -1 (an error occurred) */ @@ -294,8 +271,7 @@ int SYMEXPORT alpm_db_check_pgp_signature(pmdb_t *db) ALPM_LOG_FUNC; ASSERT(db != NULL, return 0); - return _alpm_gpgme_checksig(_alpm_db_path(db), - _alpm_db_pgpsig(db)); + return _alpm_gpgme_checksig(_alpm_db_path(db), NULL); } /* vim: set ts=2 sw=2 noet: */ diff --git a/lib/libalpm/signing.h b/lib/libalpm/signing.h index a378fa5..5976cf2 100644 --- a/lib/libalpm/signing.h +++ b/lib/libalpm/signing.h @@ -32,7 +32,6 @@ struct __pmpgpsig_t { }; int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig); -int _alpm_load_signature(const char *sigfile, pmpgpsig_t *pgpsig); pgp_verify_t _alpm_db_get_sigverify_level(pmdb_t *db); #endif /* _ALPM_SIGNING_H */ -- 1.7.4.4
Given that we offer no transparency into the pmpgpsig_t type, we don't really need to expose it outside of the library, and at this point, we don't need it at all. Don't decode anything except when checking signatures. For packages/files not from a sync database, we now just read the signature file directly anyway. Also push the decoding logic down further into the check method so we don't need this hanging out in a less than ideal place. This will make it easier to conditionally compile things down the road. Signed-off-by: Dan McGee <dan@archlinux.org> --- lib/libalpm/alpm.h | 3 -- lib/libalpm/be_sync.c | 2 +- lib/libalpm/package.c | 41 +------------------------------- lib/libalpm/package.h | 3 +- lib/libalpm/signing.c | 63 +++++++++++++++++++++++++++++++++++++++++------- lib/libalpm/signing.h | 12 +-------- lib/libalpm/sync.c | 3 +- 7 files changed, 58 insertions(+), 69 deletions(-) diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index 6818cb2..8d58b7c 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -76,7 +76,6 @@ typedef enum _pgp_verify_t { typedef struct __pmdb_t pmdb_t; typedef struct __pmpkg_t pmpkg_t; -typedef struct __pmpgpsig_t pmpgpsig_t; typedef struct __pmdelta_t pmdelta_t; typedef struct __pmgrp_t pmgrp_t; typedef struct __pmtrans_t pmtrans_t; @@ -476,8 +475,6 @@ const char *alpm_pkg_get_packager(pmpkg_t *pkg); */ const char *alpm_pkg_get_md5sum(pmpkg_t *pkg); -const pmpgpsig_t *alpm_pkg_get_pgpsig(pmpkg_t *pkg); - /** Returns the architecture for which the package was built. * @param pkg a pointer to package * @return a reference to an internal string diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c index 3dfea14..591747d 100644 --- a/lib/libalpm/be_sync.c +++ b/lib/libalpm/be_sync.c @@ -456,7 +456,7 @@ static int sync_db_read(pmdb_t *db, struct archive *archive, /* we don't do anything with this value right now */ READ_NEXT(line); } else if(strcmp(line, "%PGPSIG%") == 0) { - READ_AND_STORE(pkg->pgpsig.base64_data); + READ_AND_STORE(pkg->base64_sig); } else if(strcmp(line, "%REPLACES%") == 0) { READ_AND_STORE_ALL(pkg->replaces); } else if(strcmp(line, "%DEPENDS%") == 0) { diff --git a/lib/libalpm/package.c b/lib/libalpm/package.c index 8c927c1..393dae0 100644 --- a/lib/libalpm/package.c +++ b/lib/libalpm/package.c @@ -36,7 +36,6 @@ #include "delta.h" #include "handle.h" #include "deps.h" -#include "base64.h" /** \addtogroup alpm_packages Package Functions * @brief Functions to manipulate libalpm packages @@ -197,43 +196,6 @@ const char SYMEXPORT *alpm_pkg_get_md5sum(pmpkg_t *pkg) return pkg->ops->get_md5sum(pkg); } -static int decode_pgpsig(pmpkg_t *pkg) { - const int len = strlen(pkg->pgpsig.base64_data); - const unsigned char *usline = (const unsigned char *)pkg->pgpsig.base64_data; - int ret, destlen = 0; - /* get the necessary size for the buffer by passing 0 */ - ret = base64_decode(NULL, &destlen, usline, len); - /* alloc our memory and repeat the call to decode */ - MALLOC(pkg->pgpsig.data, (size_t)destlen, goto error); - ret = base64_decode(pkg->pgpsig.data, &destlen, usline, len); - pkg->pgpsig.len = destlen; - if(ret != 0) { - goto error; - } - - /* we no longer have a need for this */ - FREE(pkg->pgpsig.base64_data); - return 0; - -error: - FREE(pkg->pgpsig.data); - pkg->pgpsig.len = 0; - return 1; -} - -const pmpgpsig_t SYMEXPORT *alpm_pkg_get_pgpsig(pmpkg_t *pkg) -{ - ALPM_LOG_FUNC; - - /* Sanity checks */ - ASSERT(pkg != NULL, RET_ERR(PM_ERR_WRONG_ARGS, NULL)); - - if(pkg->pgpsig.data == NULL && pkg->pgpsig.base64_data != NULL) { - decode_pgpsig(pkg); - } - return &(pkg->pgpsig); -} - const char SYMEXPORT *alpm_pkg_get_arch(pmpkg_t *pkg) { return pkg->ops->get_arch(pkg); @@ -468,8 +430,7 @@ void _alpm_pkg_free(pmpkg_t *pkg) FREE(pkg->url); FREE(pkg->packager); FREE(pkg->md5sum); - FREE(pkg->pgpsig.base64_data); - FREE(pkg->pgpsig.data); + FREE(pkg->base64_sig); FREE(pkg->arch); FREELIST(pkg->licenses); FREELIST(pkg->replaces); diff --git a/lib/libalpm/package.h b/lib/libalpm/package.h index c84e222..390dcd9 100644 --- a/lib/libalpm/package.h +++ b/lib/libalpm/package.h @@ -97,10 +97,9 @@ struct __pmpkg_t { char *url; char *packager; char *md5sum; + char *base64_sig; char *arch; - pmpgpsig_t pgpsig; - time_t builddate; time_t installdate; diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 28b7ad9..d69fd52 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -28,6 +28,7 @@ /* libalpm */ #include "signing.h" #include "package.h" +#include "base64.h" #include "util.h" #include "log.h" #include "alpm.h" @@ -92,13 +93,48 @@ error: } /** + * Decode a loaded signature in base64 form. + * @param base64_data the signature to attempt to decode + * @param data the decoded data; must be freed by the caller + * @param data_len the length of the returned data + * @return 0 on success, 1 on failure to properly decode + */ +static int decode_signature(const char *base64_data, + unsigned char **data, int *data_len) { + unsigned char *usline; + int len; + + len = strlen(base64_data); + usline = (unsigned char *)base64_data; + int ret, destlen = 0; + /* get the necessary size for the buffer by passing 0 */ + ret = base64_decode(NULL, &destlen, usline, len); + if(ret != 0 || ret != POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL) { + goto error; + } + /* alloc our memory and repeat the call to decode */ + MALLOC(data, (size_t)destlen, goto error); + ret = base64_decode(*data, &destlen, usline, len); + if(ret != 0) { + goto error; + } + *data_len = destlen; + return 0; + +error: + *data = NULL; + *data_len = 0; + return 1; +} + +/** * Check the PGP signature for the given file. * @param path the full path to a file - * @param sig PGP signature data in raw form (already decoded); if NULL, expect - * a signature file next to 'path' + * @param base64_sig PGP signature data in base64 encoding; if NULL, expect a + * signature file next to 'path' * @return a int value : 0 (valid), 1 (invalid), -1 (an error occured) */ -int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) +int _alpm_gpgme_checksig(const char *path, const char *base64_sig) { int ret = 0; gpgme_error_t err; @@ -107,6 +143,7 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) gpgme_verify_result_t result; gpgme_signature_t gpgsig; char *sigpath = NULL; + unsigned char *decoded_sigdata = NULL; FILE *file = NULL, *sigfile = NULL; ALPM_LOG_FUNC; @@ -115,7 +152,7 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) RET_ERR(PM_ERR_NOT_A_FILE, -1); } - if(!sig) { + if(!base64_sig) { size_t len = strlen(path) + 5; CALLOC(sigpath, len, sizeof(char), RET_ERR(PM_ERR_MEMORY, -1)); snprintf(sigpath, len, "%s.sig", path); @@ -124,8 +161,6 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) FREE(sigpath); RET_ERR(PM_ERR_SIG_UNKNOWN, -1); } - } else if(!sig->data) { - RET_ERR(PM_ERR_SIG_UNKNOWN, -1); } if(gpgme_init()) { @@ -153,9 +188,17 @@ int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig) CHECK_ERR(); /* next create data object for the signature */ - if(sig) { + if(base64_sig) { /* memory-based, we loaded it from a sync DB */ - err = gpgme_data_new_from_mem(&sigdata, (char *)sig->data, sig->len, 0); + int data_len; + int decode_ret = decode_signature(base64_sig, + &decoded_sigdata, &data_len); + if(decode_ret) { + ret = -1; + goto error; + } + err = gpgme_data_new_from_mem(&sigdata, + (char *)decoded_sigdata, data_len, 0); } else { /* file-based, it is on disk */ sigfile = fopen(sigpath, "rb"); @@ -222,6 +265,7 @@ error: fclose(file); } FREE(sigpath); + FREE(decoded_sigdata); if(err != GPG_ERR_NO_ERROR) { _alpm_log(PM_LOG_ERROR, _("GPGME error: %s\n"), gpgme_strerror(err)); RET_ERR(PM_ERR_GPGME, -1); @@ -257,8 +301,7 @@ int SYMEXPORT alpm_pkg_check_pgp_signature(pmpkg_t *pkg) ALPM_LOG_FUNC; ASSERT(pkg != NULL, return 0); - return _alpm_gpgme_checksig(alpm_pkg_get_filename(pkg), - alpm_pkg_get_pgpsig(pkg)); + return _alpm_gpgme_checksig(alpm_pkg_get_filename(pkg), pkg->base64_sig); } /** diff --git a/lib/libalpm/signing.h b/lib/libalpm/signing.h index 5976cf2..8d8c164 100644 --- a/lib/libalpm/signing.h +++ b/lib/libalpm/signing.h @@ -21,17 +21,7 @@ #include "alpm.h" -struct __pmpgpsig_t { - /* we will either store the encoded data or the raw data- - * this way we can decode on an as-needed basis since most - * operations won't require the overhead of base64 decodes - * on all packages in a sync repository. */ - char *base64_data; - unsigned char *data; - size_t len; -}; - -int _alpm_gpgme_checksig(const char *path, const pmpgpsig_t *sig); +int _alpm_gpgme_checksig(const char *path, const char *base64_sig); pgp_verify_t _alpm_db_get_sigverify_level(pmdb_t *db); #endif /* _ALPM_SIGNING_H */ diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 4ce62e6..0ff0c79 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -856,7 +856,6 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) const char *filename = alpm_pkg_get_filename(spkg); char *filepath = _alpm_filecache_find(filename); const char *md5sum = alpm_pkg_get_md5sum(spkg); - const pmpgpsig_t *pgpsig = alpm_pkg_get_pgpsig(spkg); pgp_verify_t check_sig; /* check md5sum first */ @@ -872,7 +871,7 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) check_sig = _alpm_db_get_sigverify_level(sdb); if(check_sig != PM_PGP_VERIFY_NEVER) { - int ret = _alpm_gpgme_checksig(filepath, pgpsig); + int ret = _alpm_gpgme_checksig(filepath, spkg->base64_sig); if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) || (check_sig == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { errors++; -- 1.7.4.4
This part is almost completely self-contained, except building the list of delta filenames that we use later to check their md5sums. Refactor it into a static method so we can bring most of the code in sync_commit closer to the method name. Signed-off-by: Dan McGee <dan@archlinux.org> --- lib/libalpm/sync.c | 69 ++++++++++++++++++++++++++++------------------------ 1 files changed, 37 insertions(+), 32 deletions(-) diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 0ff0c79..b9209bb 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -687,18 +687,12 @@ static int test_md5sum(pmtrans_t *trans, const char *filepath, return ret; } -int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) +static int download_files(pmtrans_t *trans, alpm_list_t **deltas) { - alpm_list_t *i, *j, *k; - alpm_list_t *files = NULL, *deltas = NULL; - size_t numtargs, current = 0, replaces = 0; + const char *cachedir; + alpm_list_t *i, *j; + alpm_list_t *files = NULL; int errors = 0; - const char *cachedir = NULL; - int ret = -1; - - ALPM_LOG_FUNC; - - ASSERT(trans != NULL, RET_ERR(PM_ERR_TRANS_NULL, -1)); cachedir = _alpm_filecache_setup(); trans->state = STATE_DOWNLOADING; @@ -731,26 +725,18 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) alpm_list_t *delta_path = spkg->delta_path; if(delta_path) { /* using deltas */ - alpm_list_t *dlts = NULL; - + alpm_list_t *dlts; for(dlts = delta_path; dlts; dlts = dlts->next) { - pmdelta_t *d = dlts->data; - - if(d->download_size != 0) { - /* add the delta filename to the download list if needed */ - files = alpm_list_add(files, strdup(d->delta)); + pmdelta_t *delta = dlts->data; + if(delta->download_size != 0) { + files = alpm_list_add(files, strdup(delta->delta)); } - /* keep a list of all the delta files for md5sums */ - deltas = alpm_list_add(deltas, d); + *deltas = alpm_list_add(*deltas, delta); } - } else { - /* not using deltas */ - if(spkg->download_size != 0) { - /* add the filename to the download list if needed */ - files = alpm_list_add(files, strdup(fname)); - } + } else if(spkg->download_size != 0) { + files = alpm_list_add(files, strdup(fname)); } } @@ -760,15 +746,17 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) EVENT(trans, PM_TRANS_EVT_RETRIEVE_START, current->treename, NULL); for(j = files; j; j = j->next) { const char *filename = j->data; - for(k = current->servers; k; k = k->next) { - const char *server = k->data; + alpm_list_t *server; + for(server = current->servers; server; server = server->next) { + const char *server_url = server->data; char *fileurl; size_t len; + int ret; /* print server + filename into a buffer */ - len = strlen(server) + strlen(filename) + 2; + len = strlen(server_url) + strlen(filename) + 2; CALLOC(fileurl, len, sizeof(char), RET_ERR(PM_ERR_MEMORY, -1)); - snprintf(fileurl, len, "%s/%s", server, filename); + snprintf(fileurl, len, "%s/%s", server_url, filename); ret = _alpm_download(fileurl, cachedir, 0, 1, 0); FREE(fileurl); @@ -779,15 +767,15 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) } } + FREELIST(files); if(errors) { _alpm_log(PM_LOG_WARNING, _("failed to retrieve some files from %s\n"), current->treename); if(pm_errno == 0) { pm_errno = PM_ERR_RETRIEVE; } - goto error; + return -1; } - FREELIST(files); } } @@ -801,6 +789,24 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) if(handle->totaldlcb) { handle->totaldlcb(0); } + return 0; +} + +int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) +{ + alpm_list_t *i; + alpm_list_t *deltas = NULL; + size_t numtargs, current = 0, replaces = 0; + int errors = 0; + int ret = -1; + + ALPM_LOG_FUNC; + + ASSERT(trans != NULL, RET_ERR(PM_ERR_TRANS_NULL, -1)); + + if(download_files(trans, &deltas)) { + goto error; + } /* if we have deltas to work with */ if(handle->usedelta && deltas) { @@ -969,7 +975,6 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) ret = 0; error: - FREELIST(files); alpm_list_free(deltas); return ret; } -- 1.7.4.4
More stuff going on in the pre-committing stage that can be in a static method to make things a bit more clear. Signed-off-by: Dan McGee <dan@archlinux.org> --- lib/libalpm/sync.c | 103 +++++++++++++++++++++++++++------------------------- 1 files changed, 53 insertions(+), 50 deletions(-) diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index b9209bb..a702bac 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -651,6 +651,7 @@ static int apply_deltas(pmtrans_t *trans) if(retval != 0) { /* one delta failed for this package, cancel the remaining ones */ EVENT(trans, PM_TRANS_EVT_DELTA_PATCH_FAILED, NULL, NULL); + pm_errno = PM_ERR_DLT_PATCHFAILED; ret = 1; break; } @@ -687,6 +688,44 @@ static int test_md5sum(pmtrans_t *trans, const char *filepath, return ret; } +static int validate_deltas(pmtrans_t *trans, alpm_list_t *deltas, + alpm_list_t **data) +{ + int errors = 0, ret = 0; + alpm_list_t *i; + + if(!deltas) { + return 0; + } + + /* Check integrity of deltas */ + EVENT(trans, PM_TRANS_EVT_DELTA_INTEGRITY_START, NULL, NULL); + + for(i = deltas; i; i = i->next) { + pmdelta_t *d = alpm_list_getdata(i); + const char *filename = alpm_delta_get_filename(d); + char *filepath = _alpm_filecache_find(filename); + const char *md5sum = alpm_delta_get_md5sum(d); + + if(test_md5sum(trans, filepath, md5sum) != 0) { + errors++; + *data = alpm_list_add(*data, strdup(filename)); + } + FREE(filepath); + } + if(errors) { + pm_errno = PM_ERR_DLT_INVALID; + return -1; + } + EVENT(trans, PM_TRANS_EVT_DELTA_INTEGRITY_DONE, NULL, NULL); + + /* Use the deltas to generate the packages */ + EVENT(trans, PM_TRANS_EVT_DELTA_PATCHES_START, NULL, NULL); + ret = apply_deltas(trans); + EVENT(trans, PM_TRANS_EVT_DELTA_PATCHES_DONE, NULL, NULL); + return ret; +} + static int download_files(pmtrans_t *trans, alpm_list_t **deltas) { const char *cachedir; @@ -797,52 +836,22 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) alpm_list_t *i; alpm_list_t *deltas = NULL; size_t numtargs, current = 0, replaces = 0; - int errors = 0; - int ret = -1; + int errors; ALPM_LOG_FUNC; ASSERT(trans != NULL, RET_ERR(PM_ERR_TRANS_NULL, -1)); if(download_files(trans, &deltas)) { - goto error; + alpm_list_free(deltas); + return -1; } - /* if we have deltas to work with */ - if(handle->usedelta && deltas) { - int ret = 0; - errors = 0; - /* Check integrity of deltas */ - EVENT(trans, PM_TRANS_EVT_DELTA_INTEGRITY_START, NULL, NULL); - - for(i = deltas; i; i = i->next) { - pmdelta_t *d = alpm_list_getdata(i); - const char *filename = alpm_delta_get_filename(d); - char *filepath = _alpm_filecache_find(filename); - const char *md5sum = alpm_delta_get_md5sum(d); - - if(test_md5sum(trans, filepath, md5sum) != 0) { - errors++; - *data = alpm_list_add(*data, strdup(filename)); - } - FREE(filepath); - } - if(errors) { - pm_errno = PM_ERR_DLT_INVALID; - goto error; - } - EVENT(trans, PM_TRANS_EVT_DELTA_INTEGRITY_DONE, NULL, NULL); - - /* Use the deltas to generate the packages */ - EVENT(trans, PM_TRANS_EVT_DELTA_PATCHES_START, NULL, NULL); - ret = apply_deltas(trans); - EVENT(trans, PM_TRANS_EVT_DELTA_PATCHES_DONE, NULL, NULL); - - if(ret) { - pm_errno = PM_ERR_DLT_PATCHFAILED; - goto error; - } + if(validate_deltas(trans, deltas, data)) { + alpm_list_free(deltas); + return -1; } + alpm_list_free(deltas); /* Check integrity of packages */ numtargs = alpm_list_count(trans->add); @@ -909,13 +918,11 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) if(errors) { - pm_errno = PM_ERR_PKG_INVALID; - goto error; + RET_ERR(PM_ERR_PKG_INVALID, -1); } if(trans->flags & PM_TRANS_FLAG_DOWNLOADONLY) { - ret = 0; - goto error; + return 0; } trans->state = STATE_COMMITING; @@ -930,14 +937,13 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) alpm_list_t *conflict = _alpm_db_find_fileconflicts(db_local, trans, trans->add, trans->remove); if(conflict) { - pm_errno = PM_ERR_FILE_CONFLICTS; if(data) { *data = conflict; } else { alpm_list_free_inner(conflict, (alpm_list_fn_free)_alpm_fileconflict_free); alpm_list_free(conflict); } - goto error; + RET_ERR(PM_ERR_FILE_CONFLICTS, -1); } EVENT(trans, PM_TRANS_EVT_FILECONFLICTS_DONE, NULL, NULL); @@ -950,7 +956,7 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) _alpm_log(PM_LOG_DEBUG, "checking available disk space\n"); if(_alpm_check_diskspace(trans, handle->db_local) == -1) { _alpm_log(PM_LOG_ERROR, "%s\n", _("not enough free disk space")); - goto error; + return -1; } EVENT(trans, PM_TRANS_EVT_DISKSPACE_DONE, NULL, NULL); @@ -962,7 +968,7 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) /* we want the frontend to be aware of commit details */ if(_alpm_remove_packages(trans, handle->db_local) == -1) { _alpm_log(PM_LOG_ERROR, _("could not commit removal transaction\n")); - goto error; + return -1; } } @@ -970,13 +976,10 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) _alpm_log(PM_LOG_DEBUG, "installing packages\n"); if(_alpm_upgrade_packages(trans, handle->db_local) == -1) { _alpm_log(PM_LOG_ERROR, _("could not commit transaction\n")); - goto error; + return -1; } - ret = 0; -error: - alpm_list_free(deltas); - return ret; + return 0; } /* vim: set ts=2 sw=2 noet: */ -- 1.7.4.4
Both md5sum verification and PGP verification can and should be done at package load time. This allows verification to happen as early as possible for packages provided by filename and loaded in the frontend, and moves more stuff out of sync_commit that doesn't really belong there. This should also set the stage for simplified parallel loading of packages later down the road. Signed-off-by: Dan McGee <dan@archlinux.org> --- lib/libalpm/alpm.h | 7 +++++-- lib/libalpm/be_package.c | 34 +++++++++++++++++++++++++++------- lib/libalpm/package.h | 4 ++++ lib/libalpm/sync.c | 40 +++++++++++----------------------------- src/pacman/query.c | 2 +- src/pacman/sync.c | 3 ++- src/pacman/upgrade.c | 3 ++- src/util/testpkg.c | 3 ++- 8 files changed, 54 insertions(+), 42 deletions(-) diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index 8d58b7c..c4f6cc0 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -382,11 +382,14 @@ int alpm_db_set_pkgreason(pmdb_t *db, const char *name, pmpkgreason_t reason); * The allocated structure should be freed using alpm_pkg_free(). * @param filename location of the package tarball * @param full whether to stop the load after metadata is read or continue - * through the full archive + * through the full archive + * @param check_sig what level of package signature checking to perform on the + * package; note that this must be a '.sig' file type verification * @param pkg address of the package pointer * @return 0 on success, -1 on error (pm_errno is set accordingly) */ -int alpm_pkg_load(const char *filename, int full, pmpkg_t **pkg); +int alpm_pkg_load(const char *filename, int full, pgp_verify_t check_sig, + pmpkg_t **pkg); /** Free a package. * @param pkg package pointer to free diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index 6e65c7d..2044575 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -226,9 +226,10 @@ static int parse_descfile(struct archive *a, pmpkg_t *newpkg) * through the full archive * @return An information filled pmpkg_t struct */ -static pmpkg_t *pkg_load(const char *pkgfile, int full) +pmpkg_t *_alpm_pkg_load_internal(const char *pkgfile, int full, + const char *md5sum, const char *base64_sig, pgp_verify_t check_sig) { - int ret = ARCHIVE_OK; + int ret; int config = 0; struct archive *archive; struct archive_entry *entry; @@ -254,6 +255,27 @@ static pmpkg_t *pkg_load(const char *pkgfile, int full) RET_ERR(PM_ERR_PKG_OPEN, NULL); } + /* first steps- validate the package file */ + _alpm_log(PM_LOG_DEBUG, "md5sum: %s\n", md5sum); + if(md5sum) { + _alpm_log(PM_LOG_DEBUG, "checking md5sum for %s\n", pkgfile); + if(_alpm_test_md5sum(pkgfile, md5sum) != 0) { + alpm_pkg_free(newpkg); + RET_ERR(PM_ERR_PKG_INVALID, NULL); + } + } + + _alpm_log(PM_LOG_DEBUG, "base64_sig: %s\n", base64_sig); + if(check_sig != PM_PGP_VERIFY_NEVER) { + _alpm_log(PM_LOG_DEBUG, "checking signature for %s\n", pkgfile); + ret = _alpm_gpgme_checksig(pkgfile, base64_sig); + if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) || + (check_sig == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { + RET_ERR(PM_ERR_SIG_INVALID, NULL); + } + } + + /* next- try to create an archive object to read in the package */ if((archive = archive_read_new()) == NULL) { alpm_pkg_free(newpkg); RET_ERR(PM_ERR_LIBARCHIVE, NULL); @@ -332,7 +354,6 @@ static pmpkg_t *pkg_load(const char *pkgfile, int full) /* internal fields for package struct */ newpkg->origin = PKG_FROM_FILE; - /* TODO eventually kill/move this? */ newpkg->origin_data.file = strdup(pkgfile); newpkg->ops = get_file_pkg_ops(); @@ -359,16 +380,15 @@ error: return NULL; } -int SYMEXPORT alpm_pkg_load(const char *filename, int full, pmpkg_t **pkg) +int SYMEXPORT alpm_pkg_load(const char *filename, int full, + pgp_verify_t check_sig, pmpkg_t **pkg) { ALPM_LOG_FUNC; /* Sanity checks */ - ASSERT(filename != NULL && strlen(filename) != 0, - RET_ERR(PM_ERR_WRONG_ARGS, -1)); ASSERT(pkg != NULL, RET_ERR(PM_ERR_WRONG_ARGS, -1)); - *pkg = pkg_load(filename, full); + *pkg = _alpm_pkg_load_internal(filename, full, NULL, NULL, check_sig); if(*pkg == NULL) { /* pm_errno is set by pkg_load */ return -1; diff --git a/lib/libalpm/package.h b/lib/libalpm/package.h index 390dcd9..debb239 100644 --- a/lib/libalpm/package.h +++ b/lib/libalpm/package.h @@ -139,6 +139,10 @@ pmpkg_t* _alpm_pkg_new(void); pmpkg_t *_alpm_pkg_dup(pmpkg_t *pkg); void _alpm_pkg_free(pmpkg_t *pkg); void _alpm_pkg_free_trans(pmpkg_t *pkg); + +pmpkg_t *_alpm_pkg_load_internal(const char *filename, int full, + const char *md5sum, const char *base64_sig, pgp_verify_t check_sig); + int _alpm_pkg_cmp(const void *p1, const void *p2); int _alpm_pkg_compare_versions(pmpkg_t *local_pkg, pmpkg_t *pkg); pmpkg_t *_alpm_pkg_find(alpm_list_t *haystack, const char *needle); diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index a702bac..4b42af4 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -862,45 +862,27 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) for(i = trans->add; i; i = i->next, current++) { pmpkg_t *spkg = i->data; int percent = (current * 100) / numtargs; + const char *filename; + char *filepath; + pgp_verify_t check_sig; + + PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", percent, + numtargs, current); if(spkg->origin == PKG_FROM_FILE) { continue; /* pkg_load() has been already called, this package is valid */ } - PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", percent, - numtargs, current); - const char *filename = alpm_pkg_get_filename(spkg); - char *filepath = _alpm_filecache_find(filename); - const char *md5sum = alpm_pkg_get_md5sum(spkg); - pgp_verify_t check_sig; - - /* check md5sum first */ - if(test_md5sum(trans, filepath, md5sum) != 0) { - errors++; - *data = alpm_list_add(*data, strdup(filename)); - FREE(filepath); - continue; - } - /* check PGP signature next */ + filename = alpm_pkg_get_filename(spkg); + filepath = _alpm_filecache_find(filename); pmdb_t *sdb = alpm_pkg_get_db(spkg); - check_sig = _alpm_db_get_sigverify_level(sdb); - if(check_sig != PM_PGP_VERIFY_NEVER) { - int ret = _alpm_gpgme_checksig(filepath, spkg->base64_sig); - if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) || - (check_sig == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { - errors++; - *data = alpm_list_add(*data, strdup(filename)); - FREE(filepath); - continue; - } - } /* load the package file and replace pkgcache entry with it in the target list */ /* TODO: alpm_pkg_get_db() will not work on this target anymore */ _alpm_log(PM_LOG_DEBUG, "replacing pkgcache entry with package file for target %s\n", spkg->name); - pmpkg_t *pkgfile; - if(alpm_pkg_load(filepath, 1, &pkgfile) != 0) { - _alpm_pkg_free(pkgfile); + pmpkg_t *pkgfile =_alpm_pkg_load_internal(filepath, 1, spkg->md5sum, + spkg->base64_sig, check_sig); + if(!pkgfile) { errors++; *data = alpm_list_add(*data, strdup(filename)); FREE(filepath); diff --git a/src/pacman/query.c b/src/pacman/query.c index eaf3b9e..5ca52c3 100644 --- a/src/pacman/query.c +++ b/src/pacman/query.c @@ -547,7 +547,7 @@ int pacman_query(alpm_list_t *targets) char *strname = alpm_list_getdata(i); if(config->op_q_isfile) { - alpm_pkg_load(strname, 1, &pkg); + alpm_pkg_load(strname, 1, PM_PGP_VERIFY_OPTIONAL, &pkg); } else { pkg = alpm_db_get_pkg(db_local, strname); } diff --git a/src/pacman/sync.c b/src/pacman/sync.c index 5529288..5fb8c34 100644 --- a/src/pacman/sync.c +++ b/src/pacman/sync.c @@ -211,7 +211,8 @@ static int sync_cleancache(int level) /* attempt to load the package, prompt removal on failures as we may have * files here that aren't valid packages. we also don't need a full * load of the package, just the metadata. */ - if(alpm_pkg_load(path, 0, &localpkg) != 0 || localpkg == NULL) { + if(alpm_pkg_load(path, 0, PM_PGP_VERIFY_NEVER, &localpkg) != 0 + || localpkg == NULL) { if(yesno(_("File %s does not seem to be a valid package, remove it?"), path)) { if(localpkg) { alpm_pkg_free(localpkg); diff --git a/src/pacman/upgrade.c b/src/pacman/upgrade.c index 5b89400..0ffc94c 100644 --- a/src/pacman/upgrade.c +++ b/src/pacman/upgrade.c @@ -42,6 +42,7 @@ int pacman_upgrade(alpm_list_t *targets) { alpm_list_t *i, *data = NULL; + pgp_verify_t check_sig = alpm_option_get_default_sigverify(); int retval = 0; if(targets == NULL) { @@ -75,7 +76,7 @@ int pacman_upgrade(alpm_list_t *targets) char *targ = alpm_list_getdata(i); pmpkg_t *pkg; - if(alpm_pkg_load(targ, 1, &pkg) != 0) { + if(alpm_pkg_load(targ, 1, check_sig, &pkg) != 0) { pm_fprintf(stderr, PM_LOG_ERROR, "'%s': %s\n", targ, alpm_strerrorlast()); trans_release(); diff --git a/src/util/testpkg.c b/src/util/testpkg.c index e562dde..ad6ec30 100644 --- a/src/util/testpkg.c +++ b/src/util/testpkg.c @@ -55,7 +55,8 @@ int main(int argc, char *argv[]) /* let us get log messages from libalpm */ alpm_option_set_logcb(output_cb); - if(alpm_pkg_load(argv[1], 1, &pkg) == -1 || pkg == NULL) { + if(alpm_pkg_load(argv[1], 1, PM_PGP_VERIFY_OPTIONAL, &pkg) == -1 + || pkg == NULL) { switch(pm_errno) { case PM_ERR_PKG_OPEN: printf("Cannot open the given file.\n"); -- 1.7.4.4
Add some lookup functions for nice names for the various types used by the library, and remove some fields that are of little use to us in the debug output. This should make looking at key loading and verification a bit easier, especially in determining what makes up our good and bad criteria. Signed-off-by: Dan McGee <dan@archlinux.org> --- lib/libalpm/signing.c | 108 ++++++++++++++++++++++++++++++++++++++++++++----- 1 files changed, 97 insertions(+), 11 deletions(-) diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index d69fd52..0abf34f 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -37,6 +37,82 @@ if(err != GPG_ERR_NO_ERROR) { goto error; } \ } while(0) +static const char *gpgme_string_validity(gpgme_validity_t validity) +{ + switch(validity) { + case GPGME_VALIDITY_UNKNOWN: + return "unknown"; + case GPGME_VALIDITY_UNDEFINED: + return "undefined"; + case GPGME_VALIDITY_NEVER: + return "never"; + case GPGME_VALIDITY_MARGINAL: + return "marginal"; + case GPGME_VALIDITY_FULL: + return "full"; + case GPGME_VALIDITY_ULTIMATE: + return "ultimate"; + } + return "???"; +} + +static alpm_list_t *gpgme_list_sigsum(gpgme_sigsum_t sigsum) +{ + alpm_list_t *summary = NULL; + /* The docs say this can be a bitmask...not sure I believe it, but we'll code + * for it anyway and show all possible flags in the returned string. */ + + /* The signature is fully valid. */ + if(sigsum & GPGME_SIGSUM_VALID) { + summary = alpm_list_add(summary, "valid"); + } + /* The signature is good. */ + if(sigsum & GPGME_SIGSUM_GREEN) { + summary = alpm_list_add(summary, "green"); + } + /* The signature is bad. */ + if(sigsum & GPGME_SIGSUM_RED) { + summary = alpm_list_add(summary, "red"); + } + /* One key has been revoked. */ + if(sigsum & GPGME_SIGSUM_KEY_REVOKED) { + summary = alpm_list_add(summary, "key revoked"); + } + /* One key has expired. */ + if(sigsum & GPGME_SIGSUM_KEY_EXPIRED) { + summary = alpm_list_add(summary, "key expired"); + } + /* The signature has expired. */ + if(sigsum & GPGME_SIGSUM_SIG_EXPIRED) { + summary = alpm_list_add(summary, "sig expired"); + } + /* Can't verify: key missing. */ + if(sigsum & GPGME_SIGSUM_KEY_MISSING) { + summary = alpm_list_add(summary, "key missing"); + } + /* CRL not available. */ + if(sigsum & GPGME_SIGSUM_CRL_MISSING) { + summary = alpm_list_add(summary, "crl missing"); + } + /* Available CRL is too old. */ + if(sigsum & GPGME_SIGSUM_CRL_TOO_OLD) { + summary = alpm_list_add(summary, "crl too old"); + } + /* A policy was not met. */ + if(sigsum & GPGME_SIGSUM_BAD_POLICY) { + summary = alpm_list_add(summary, "bad policy"); + } + /* A system error occured. */ + if(sigsum & GPGME_SIGSUM_SYS_ERROR) { + summary = alpm_list_add(summary, "sys error"); + } + /* Fallback case */ + if(!sigsum) { + summary = alpm_list_add(summary, "(empty)"); + } + return summary; +} + static int gpgme_init(void) { static int init = 0; @@ -221,17 +297,27 @@ int _alpm_gpgme_checksig(const char *path, const char *base64_sig) ret = -1; goto error; } - _alpm_log(PM_LOG_DEBUG, "summary=%x\n", gpgsig->summary); - _alpm_log(PM_LOG_DEBUG, "fpr=%s\n", gpgsig->fpr); - _alpm_log(PM_LOG_DEBUG, "status=%d\n", gpgsig->status); - _alpm_log(PM_LOG_DEBUG, "timestamp=%lu\n", gpgsig->timestamp); - _alpm_log(PM_LOG_DEBUG, "wrong_key_usage=%u\n", gpgsig->wrong_key_usage); - _alpm_log(PM_LOG_DEBUG, "pka_trust=%u\n", gpgsig->pka_trust); - _alpm_log(PM_LOG_DEBUG, "chain_model=%u\n", gpgsig->chain_model); - _alpm_log(PM_LOG_DEBUG, "validity=%d\n", gpgsig->validity); - _alpm_log(PM_LOG_DEBUG, "validity_reason=%d\n", gpgsig->validity_reason); - _alpm_log(PM_LOG_DEBUG, "key=%d\n", gpgsig->pubkey_algo); - _alpm_log(PM_LOG_DEBUG, "hash=%d\n", gpgsig->hash_algo); + + { + alpm_list_t *summary_list, *summary; + + _alpm_log(PM_LOG_DEBUG, "fingerprint: %s\n", gpgsig->fpr); + summary_list = gpgme_list_sigsum(gpgsig->summary); + for(summary = summary_list; summary; summary = summary->next) { + _alpm_log(PM_LOG_DEBUG, "summary: %s\n", (const char *)summary->data); + } + _alpm_log(PM_LOG_DEBUG, "status: %s\n", gpgme_strerror(gpgsig->status)); + _alpm_log(PM_LOG_DEBUG, "timestamp: %lu\n", gpgsig->timestamp); + _alpm_log(PM_LOG_DEBUG, "exp_timestamp: %lu\n", gpgsig->exp_timestamp); + _alpm_log(PM_LOG_DEBUG, "validity: %s\n", + gpgme_string_validity(gpgsig->validity)); + _alpm_log(PM_LOG_DEBUG, "validity_reason: %s\n", + gpgme_strerror(gpgsig->validity_reason)); + _alpm_log(PM_LOG_DEBUG, "pubkey algo: %s\n", + gpgme_pubkey_algo_name(gpgsig->pubkey_algo)); + _alpm_log(PM_LOG_DEBUG, "hash algo: %s\n", + gpgme_hash_algo_name(gpgsig->hash_algo)); + } if(gpgsig->summary & GPGME_SIGSUM_VALID) { /* good signature, continue */ -- 1.7.4.4
participants (1)
-
Dan McGee