[pacman-dev] [PATCH 2/2] repo-add: enforce maximum .sig file size

Dave Reisner d at falconindy.com
Mon Dec 5 11:33:27 EST 2011 

On Mon, Dec 05, 2011 at 10:09:45AM -0600, Dan McGee wrote:
> This prevents user error in adding a file generated via `gpg --sign`
> rather than `--detach-sign`, for example. The same 16KiB limit is used
> we use in our pacman download code.
> 
> The section is moved above the checksum generation to avoid presenting
> info messages to the user if the signature isn't valid.
> 
> Addresses a shortcoming pointed out in FS#27453.
> 
> Signed-off-by: Dan McGee <dan at archlinux.org>
> ---
>  scripts/repo-add.sh.in |   19 ++++++++++++-------
>  1 files changed, 12 insertions(+), 7 deletions(-)
> 
> diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
> index 5e1d770..1cde913 100644
> --- a/scripts/repo-add.sh.in
> +++ b/scripts/repo-add.sh.in
> @@ -245,7 +245,7 @@ db_write_entry() {
>  	local pkgfile="$1"
>  	local -a _groups _licenses _replaces _depends _conflicts _provides _optdepends
>  	local pkgname pkgver pkgdesc csize size url arch builddate packager \
> -		md5sum sha256sum pgpsig
> +		md5sum sha256sum pgpsig pgpsigsize
>  
>  	# read info from the zipped package
>  	local line var val
> @@ -284,6 +284,17 @@ db_write_entry() {
>  		fi
>  	fi
>  
> +	# compute base64'd PGP signature
> +	if [[ -f "$pkgfile.sig" ]]; then
> +		pgpsigsize=$(@SIZECMD@ "$pkgfile.sig")
> +		if [[ $pgpsigsize > 16384 ]]; then

This is a lexical comparison -- most sigs are going to fail this check.
You meant to use an arithmetic context:

  (( pgpsigsize > 16384 ))

This looks ifne otherwise.

> +			error "$(gettext "Invalid package signature file '%s'.")" "$pkgfile.sig"
> +			return 1
> +		fi
> +		msg2 "$(gettext "Adding package signature...")"
> +		pgpsig=$(openssl base64 -in "$pkgfile.sig" | tr -d '\n')
> +	fi
> +
>  	csize=$(@SIZECMD@ "$pkgfile")
>  
>  	# compute checksums
> @@ -293,12 +304,6 @@ db_write_entry() {
>  	sha256sum="$(openssl dgst -sha256 "$pkgfile")"
>  	sha256sum="${sha256sum##* }"
>  
> -	# compute base64'd PGP signature
> -	if [[ -f "$pkgfile.sig" ]]; then
> -		msg2 "$(gettext "Adding package signature...")"
> -		pgpsig=$(openssl base64 -in "$pkgfile.sig" | tr -d '\n')
> -	fi
> -
>  	# remove an existing entry if it exists, ignore failures
>  	db_remove_entry "$pkgname"
>  
> -- 
> 1.7.8
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20111205/d4b87b80/attachment.asc>

More information about the pacman-dev mailing list