[pacman-dev] [patch]GPG verification

Jatheendra jatheendra at gmail.com
Wed Dec 17 10:40:45 EST 2008 

These patches will add VerifySig option to pacman.conf. VerifySig
takes options Always, Optional or Never

[repo-name]
      Server = ServerName
      VerifySig = Always
      Include = IncludePath





>From 77be2c5cbfa3c7a750fe46d115c23096d2cf51e5 Mon Sep 17 00:00:00 2001
From: shankar <jatheendra at gmail.com>
Date: Wed, 17 Dec 2008 20:52:21 +0530
Subject: [PATCH] changed gpg verification logic

Signed-off-by: shankar <jatheendra at gmail.com>
---
 lib/libalpm/signing.c |    3 +++
 lib/libalpm/sync.c    |   26 ++++++++++++++++++++++----
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
index ddb89bc..0835b5e 100644
--- a/lib/libalpm/signing.c
+++ b/lib/libalpm/signing.c
@@ -166,6 +166,9 @@ pgpcheck_t _alpm_gpgme_checksig(const char
*pkgpath, const pmpgpsig_t *sig)

 	if(gpgsig->summary & GPGME_SIGSUM_VALID) {
 		/* good signature, continue */
+		ret = PM_PGP_SIG_VALID;
+		_alpm_log(PM_LOG_DEBUG, _("Package %s has a valid signature.\n"),
+				pkgpath);
 	} else if(gpgsig->summary & GPGME_SIGSUM_GREEN) {
 		/* 'green' signature, not sure what to do here */
 		_alpm_log(PM_LOG_WARNING, _("Package %s has a green signature.\n"),
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
index 24f2b98..f658ae2 100644
--- a/lib/libalpm/sync.c
+++ b/lib/libalpm/sync.c
@@ -901,12 +901,30 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t
*db_local, alpm_list_t **data)
 			*data = alpm_list_add(*data, strdup(filename));
 		}
 		/* check PGP signature next */
-		if(_alpm_gpgme_checksig(filepath, pgpsig) == PM_PGP_SIG_INVALID) {
-			errors++;
-			*data = alpm_list_add(*data, strdup(filename));
+		pmdb_t *sdb = alpm_pkg_get_db(spkg);
+
+		if(sdb->verify_gpg == PM_GPG_VERIFY_ALWAYS) {
+			if(_alpm_gpgme_checksig(filepath, pgpsig) != PM_PGP_SIG_VALID) {
+				errors++;
+				*data = alpm_list_add(*data, strdup(filename));
+				_alpm_log(PM_LOG_ERROR, _("Invalid GPG signature on package:
%s\n"),alpm_pkg_get_name(spkg));
+			}
+			FREE(filepath);
+		} else if (sdb->verify_gpg == PM_GPG_VERIFY_OPTIONAL) {
+			pgpcheck_t ret1 = _alpm_gpgme_checksig(filepath, pgpsig);
+
+			if(ret1  == PM_PGP_SIG_MISSING) {
+				/*no problems here*/
+			} else if (ret1 != PM_PGP_SIG_VALID) {
+				errors++;
+				*data = alpm_list_add(*data, strdup(filename));
+				_alpm_log(PM_LOG_ERROR, _("Invalid GPG signature on package:
%s\n"),alpm_pkg_get_name(spkg));
+			}
+			FREE(filepath);
 		}
-		FREE(filepath);
 	}
+
+
 	if(errors) {
 		pm_errno = PM_ERR_PKG_INVALID;
 		goto error;
-- 
1.6.0.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-gpg-verification-options-per-repo-to-the-confi.patch
Type: application/octet-stream
Size: 3680 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/pacman-dev/attachments/20081217/e8ec6c2c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-changed-gpg-verification-logic.patch
Type: application/octet-stream
Size: 2341 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/pacman-dev/attachments/20081217/e8ec6c2c/attachment-0001.obj>

More information about the pacman-dev mailing list