[pacman-dev] [PATCH 0/4] Add signature check for local packages

Rémy Oudompheng

21 Apr 2011 21 Apr '11

6:35 a.m.

Packages added from local files are not checked currently. These patches also introduce changes in the handling of PM_PGP_VERIFY_UNKNOWN that are not really convincing. We could skip these changes and just apply the other patches, however we should probably give some thoughts about that. Making the check level into an argument of the check function could also be an option. Rémy Oudompheng (4): sync.c: remove duplicated code for integrity check failures handle.c: force sigverify level not to be PM_PGP_VERIFY_UNKNOWN sync.c: remove unnecessary check for PM_PGP_VERIFY_UNKNOWN sync.c: also check signatures for packages loaded from files lib/libalpm/handle.c | 1 + lib/libalpm/sync.c | 58 +++++++++++++++++++++++++------------------------- 2 files changed, 30 insertions(+), 29 deletions(-) -- 1.7.4.4

Show replies by date

Rémy Oudompheng

21 Apr 21 Apr

6:36 a.m.

New subject: [pacman-dev] [PATCH 1/4] sync.c: remove duplicated code for integrity check failures

Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- This is a cleanup patch is preparation for some code moving. lib/libalpm/sync.c | 21 +++++++++------------ 1 files changed, 9 insertions(+), 12 deletions(-) diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index cb73c7e..b6c64af 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -844,10 +844,7 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) /* check md5sum first */ if(test_md5sum(trans, filepath, md5sum) != 0) { - errors++; - *data = alpm_list_add(*data, strdup(filename)); - FREE(filepath); - continue; + goto integrity_check_fail; } /* check PGP signature next */ pmdb_t *sdb = alpm_pkg_get_db(spkg); @@ -865,10 +862,7 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) int ret = _alpm_gpgme_checksig(filepath, pgpsig); if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) || (check_sig == PM_PGP_VERIFY_OPTIONAL && ret == 1)) { - errors++; - *data = alpm_list_add(*data, strdup(filename)); - FREE(filepath); - continue; + goto integrity_check_fail; } } /* load the package file and replace pkgcache entry with it in the target list */ @@ -877,15 +871,18 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) pmpkg_t *pkgfile; if(alpm_pkg_load(filepath, 1, &pkgfile) != 0) { _alpm_pkg_free(pkgfile); - errors++; - *data = alpm_list_add(*data, strdup(filename)); - FREE(filepath); - continue; + goto integrity_check_fail; } FREE(filepath); pkgfile->reason = spkg->reason; /* copy over install reason */ i->data = pkgfile; _alpm_pkg_free_trans(spkg); /* spkg has been removed from the target list */ + continue; + +integrity_check_fail: + errors++; + *data = alpm_list_add(*data, strdup(filename)); + FREE(filepath); } PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", 100, -- 1.7.4.4

Rémy Oudompheng

6:37 a.m.

New subject: [pacman-dev] [PATCH 2/4] handle.c: force sigverify level not to be PM_PGP_VERIFY_UNKNOWN

There is no sense in setting such a value. Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- lib/libalpm/handle.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/lib/libalpm/handle.c b/lib/libalpm/handle.c index 6905ca6..6bc5f27 100644 --- a/lib/libalpm/handle.c +++ b/lib/libalpm/handle.c @@ -628,6 +628,7 @@ int SYMEXPORT alpm_option_set_checkspace(int checkspace) int SYMEXPORT alpm_option_set_default_sigverify(pgp_verify_t level) { ASSERT(handle != NULL, RET_ERR(PM_ERR_HANDLE_NULL, -1)); + ASSERT(level != PM_PGP_VERIFY_UNKNOWN, RET_ERR(PM_ERR_WRONG_ARGS, -1)); handle->sigverify = level; return 0; } -- 1.7.4.4

Rémy Oudompheng

6:38 a.m.

New subject: [pacman-dev] [PATCH 3/4] sync.c: remove unnecessary check for PM_PGP_VERIFY_UNKNOWN

The value PM_PGP_VERIFY_UNKNOWN is reserved to error cases, now that the signature verification level defaults to the globally set level. The only error case is when handle == NULL, which is false in the context of _alpm_sync_commit(). Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- Now I'm unsure about this patch. We could miss the case where sdb is NULL but then, the log message would do a NULL dereference. lib/libalpm/sync.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index b6c64af..7958c66 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -851,13 +851,6 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) check_sig = _alpm_db_get_sigverify_level(sdb); - if(check_sig == PM_PGP_VERIFY_UNKNOWN) { - _alpm_log(PM_LOG_ERROR, _("failed to determine signature verification " - "level for database: %s\n"), sdb->treename); - pm_errno = PM_ERR_PKG_INVALID; - goto error; - } - if(check_sig != PM_PGP_VERIFY_NEVER) { int ret = _alpm_gpgme_checksig(filepath, pgpsig); if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) || -- 1.7.4.4

Dan McGee

5:16 p.m.

New subject: [pacman-dev] [PATCH 3/4] sync.c: remove unnecessary check for PM_PGP_VERIFY_UNKNOWN

On Thu, Apr 21, 2011 at 1:38 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:

...

The value PM_PGP_VERIFY_UNKNOWN is reserved to error cases, now that the signature verification level defaults to the globally set level. The only error case is when handle == NULL, which is false in the context of _alpm_sync_commit().

Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- Now I'm unsure about this patch. We could miss the case where sdb is NULL but then, the log message would do a NULL dereference.

You would have been dead meat long before this if sdb was NULL, so nothing to worry about. Patch pushed.

Rémy Oudompheng

6:39 a.m.

New subject: [pacman-dev] [PATCH 4/4] sync.c: also check signatures for packages loaded from files

The chosen level is the global signature check level defined by alpm_option_set_default_sigverify(). Signed-off-by: Rémy Oudompheng <remy@archlinux.org> --- There is some code moving around here. lib/libalpm/sync.c | 34 ++++++++++++++++++++++------------ 1 files changed, 22 insertions(+), 12 deletions(-) diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c index 7958c66..0a864c9 100644 --- a/lib/libalpm/sync.c +++ b/lib/libalpm/sync.c @@ -830,27 +830,30 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) for(i = trans->add; i; i = i->next, current++) { pmpkg_t *spkg = i->data; int percent = (current * 100) / numtargs; - if(spkg->origin == PKG_FROM_FILE) { - continue; /* pkg_load() has been already called, this package is valid */ - } PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", percent, numtargs, current); const char *filename = alpm_pkg_get_filename(spkg); - char *filepath = _alpm_filecache_find(filename); - const char *md5sum = alpm_pkg_get_md5sum(spkg); + char *filepath; const pmpgpsig_t *pgpsig = alpm_pkg_get_pgpsig(spkg); pgp_verify_t check_sig; - /* check md5sum first */ - if(test_md5sum(trans, filepath, md5sum) != 0) { - goto integrity_check_fail; - } - /* check PGP signature next */ - pmdb_t *sdb = alpm_pkg_get_db(spkg); + if(spkg->origin == PKG_FROM_FILE) { + check_sig = alpm_option_get_default_sigverify(); + filepath = strdup(filename); + } else { + pmdb_t *sdb = alpm_pkg_get_db(spkg); + check_sig = _alpm_db_get_sigverify_level(sdb); + filepath = _alpm_filecache_find(filename); - check_sig = _alpm_db_get_sigverify_level(sdb); + /* check md5sum if package comes from a database */ + const char *md5sum = alpm_pkg_get_md5sum(spkg); + if(test_md5sum(trans, filepath, md5sum) != 0) { + goto integrity_check_fail; + } + } + /* check PGP signature next */ if(check_sig != PM_PGP_VERIFY_NEVER) { int ret = _alpm_gpgme_checksig(filepath, pgpsig); if((check_sig == PM_PGP_VERIFY_ALWAYS && ret != 0) || @@ -858,6 +861,13 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data) goto integrity_check_fail; } } + + /* don't replace spkg if it already comes from a file */ + if (spkg->origin == PKG_FROM_FILE) { + FREE(filepath); + continue; + } + /* load the package file and replace pkgcache entry with it in the target list */ /* TODO: alpm_pkg_get_db() will not work on this target anymore */ _alpm_log(PM_LOG_DEBUG, "replacing pkgcache entry with package file for target %s\n", spkg->name); -- 1.7.4.4

Dan McGee

22 Apr 22 Apr

9:10 p.m.

On Thu, Apr 21, 2011 at 1:35 AM, Rémy Oudompheng <remyoudompheng@gmail.com> wrote:

...

Packages added from local files are not checked currently. These patches also introduce changes in the handling of PM_PGP_VERIFY_UNKNOWN that are not really convincing. We could skip these changes and just apply the other patches, however we should probably give some thoughts about that.

Making the check level into an argument of the check function could also be an option.

So I'm going to soon send a set of patches that address and clash with a lot of what this patch set is doing. Rémy, I don't want to discourage you by any means with not applying these, as I drew ideas and inspiration from your patches, but I saw a fundamental problem with doing this at all in sync.c- it frankly just doesn't belong there. Instead, the main push of my patches is to push this down into the load function itself, which allows both frontend and backend package loads to have the benefit of signature checks. I did already grab your UNKNOWN patches, so thanks for those. -Dan

4948

Age (days ago)

4949

Last active (days ago)

List overview

Download

6 comments

2 participants

participants (2)

Dan McGee
Rémy Oudompheng