[pacman-dev] [PATCH] Disable embedded signatures by default

Anatol Pomozov anatol.pomozov at gmail.com
Mon Aug 10 21:34:15 UTC 2020 

Switching from embedded to detached signatures is a big change. This
feature needs to be thoroughly tested before embedded signatures will be
completely removed from the database.

To help with detached signatures testing we enable it by default. But in
case if an user needs to go back to embedded signatures we add a config
option to reenable it - "UseEmbeddedSignatures".

Signed-off-by: Anatol Pomozov <anatol.pomozov at gmail.com>
---
 doc/pacman.conf.5.asciidoc |  4 ++++
 lib/libalpm/alpm.h         |  3 +++
 lib/libalpm/be_sync.c      |  4 +++-
 lib/libalpm/handle.c       | 13 +++++++++++++
 lib/libalpm/handle.h       |  1 +
 src/pacman/conf.c          |  4 ++++
 src/pacman/conf.h          |  2 ++
 src/pacman/pacman-conf.c   |  3 +++
 8 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/doc/pacman.conf.5.asciidoc b/doc/pacman.conf.5.asciidoc
index 3c2f1fea..dd1d3d5e 100644
--- a/doc/pacman.conf.5.asciidoc
+++ b/doc/pacman.conf.5.asciidoc
@@ -214,6 +214,10 @@ Options
 	positive integer. If this config option is not set then only one download
 	stream is used (i.e. downloads happen sequentially).
 
+*UseEmbeddedSignatures*::
+  Enable database embedded signatures usage. If this flag is not set then
+  only detached signatures (*.sig files) are used.
+
 
 Repository Sections
 -------------------
diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h
index 614a530c..f88428f2 100644
--- a/lib/libalpm/alpm.h
+++ b/lib/libalpm/alpm.h
@@ -920,6 +920,9 @@ int alpm_option_set_arch(alpm_handle_t *handle, const char *arch);
 int alpm_option_get_checkspace(alpm_handle_t *handle);
 int alpm_option_set_checkspace(alpm_handle_t *handle, int checkspace);
 
+int alpm_option_get_embeddedsigs(alpm_handle_t *handle);
+int alpm_option_set_embeddedsigs(alpm_handle_t *handle, int embeddedsigs);
+
 const char *alpm_option_get_dbext(alpm_handle_t *handle);
 int alpm_option_set_dbext(alpm_handle_t *handle, const char *dbext);
 
diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c
index 225df76d..d31f4862 100644
--- a/lib/libalpm/be_sync.c
+++ b/lib/libalpm/be_sync.c
@@ -602,7 +602,9 @@ static int sync_db_read(alpm_db_t *db, struct archive *archive,
 			} else if(strcmp(line, "%SHA256SUM%") == 0) {
 				READ_AND_STORE(pkg->sha256sum);
 			} else if(strcmp(line, "%PGPSIG%") == 0) {
-				READ_AND_STORE(pkg->base64_sig);
+				if(db->handle->embeddedsigs) {
+					READ_AND_STORE(pkg->base64_sig);
+				}
 			} else if(strcmp(line, "%REPLACES%") == 0) {
 				READ_AND_SPLITDEP(pkg->replaces);
 			} else if(strcmp(line, "%DEPENDS%") == 0) {
diff --git a/lib/libalpm/handle.c b/lib/libalpm/handle.c
index 1310601a..d0077cd4 100644
--- a/lib/libalpm/handle.c
+++ b/lib/libalpm/handle.c
@@ -294,6 +294,12 @@ int SYMEXPORT alpm_option_get_checkspace(alpm_handle_t *handle)
 	return handle->checkspace;
 }
 
+int SYMEXPORT alpm_option_get_embeddedsigs(alpm_handle_t *handle)
+{
+	CHECK_HANDLE(handle, return -1);
+	return handle->embeddedsigs;
+}
+
 const char SYMEXPORT *alpm_option_get_dbext(alpm_handle_t *handle)
 {
 	CHECK_HANDLE(handle, return NULL);
@@ -754,6 +760,13 @@ int SYMEXPORT alpm_option_set_checkspace(alpm_handle_t *handle, int checkspace)
 	return 0;
 }
 
+int SYMEXPORT alpm_option_set_embeddedsigs(alpm_handle_t *handle, int embeddedsigs)
+{
+	CHECK_HANDLE(handle, return -1);
+	handle->embeddedsigs = embeddedsigs;
+	return 0;
+}
+
 int SYMEXPORT alpm_option_set_dbext(alpm_handle_t *handle, const char *dbext)
 {
 	CHECK_HANDLE(handle, return -1);
diff --git a/lib/libalpm/handle.h b/lib/libalpm/handle.h
index 9fef0fbf..de278d88 100644
--- a/lib/libalpm/handle.h
+++ b/lib/libalpm/handle.h
@@ -98,6 +98,7 @@ struct __alpm_handle_t {
 	char *arch;              /* Architecture of packages we should allow */
 	int usesyslog;           /* Use syslog instead of logfile? */ /* TODO move to frontend */
 	int checkspace;          /* Check disk space before installing */
+	int embeddedsigs;        /* Use embedded signatures instead of detached one */
 	char *dbext;             /* Sync DB extension */
 	int siglevel;            /* Default signature verification level */
 	int localfilesiglevel;   /* Signature verification level for local file
diff --git a/src/pacman/conf.c b/src/pacman/conf.c
index 3a3ef605..6268f229 100644
--- a/src/pacman/conf.c
+++ b/src/pacman/conf.c
@@ -598,6 +598,9 @@ static int _parse_options(const char *key, char *value,
 		} else if(strcmp(key, "ILoveCandy") == 0) {
 			config->chomp = 1;
 			pm_printf(ALPM_LOG_DEBUG, "config: chomp\n");
+		} else if(strcmp(key, "UseEmbeddedSignatures") == 0) {
+			config->embeddedsigs = 1;
+			pm_printf(ALPM_LOG_DEBUG, "config: embeddedsigs\n");
 		} else if(strcmp(key, "VerbosePkgLists") == 0) {
 			config->verbosepkglists = 1;
 			pm_printf(ALPM_LOG_DEBUG, "config: verbosepkglists\n");
@@ -899,6 +902,7 @@ static int setup_libalpm(void)
 	alpm_option_set_arch(handle, config->arch);
 	alpm_option_set_checkspace(handle, config->checkspace);
 	alpm_option_set_usesyslog(handle, config->usesyslog);
+	alpm_option_set_embeddedsigs(handle, config->embeddedsigs);
 
 	alpm_option_set_ignorepkgs(handle, config->ignorepkg);
 	alpm_option_set_ignoregroups(handle, config->ignoregrp);
diff --git a/src/pacman/conf.h b/src/pacman/conf.h
index b8a451ad..e1dbd1bc 100644
--- a/src/pacman/conf.h
+++ b/src/pacman/conf.h
@@ -111,6 +111,8 @@ typedef struct __config_t {
 	/* conf file options */
 	/* I Love Candy! */
 	unsigned short chomp;
+	/* Use database embedded signatures if present */
+	unsigned short embeddedsigs;
 	/* format target pkg lists as table */
 	unsigned short verbosepkglists;
 	/* When downloading, display the amount downloaded, rate, ETA, and percent
diff --git a/src/pacman/pacman-conf.c b/src/pacman/pacman-conf.c
index 463badf1..b96fb6b8 100644
--- a/src/pacman/pacman-conf.c
+++ b/src/pacman/pacman-conf.c
@@ -267,6 +267,7 @@ static void dump_config(void)
 	show_bool("VerbosePkgLists", config->verbosepkglists);
 	show_bool("DisableDownloadTimeout", config->disable_dl_timeout);
 	show_bool("ILoveCandy", config->chomp);
+	show_bool("UseEmbeddedSignatures", config->embeddedsigs);
 	show_bool("NoProgressBar", config->noprogressbar);
 
 	show_int("ParallelDownloads", config->parallel_downloads);
@@ -381,6 +382,8 @@ static int list_directives(void)
 			show_bool("DisableDownloadTimeout", config->disable_dl_timeout);
 		} else if(strcasecmp(i->data, "ILoveCandy") == 0) {
 			show_bool("ILoveCandy", config->chomp);
+		} else if(strcasecmp(i->data, "UseEmbeddedSignatures") == 0) {
+			show_bool("UseEmbeddedSignatures", config->embeddedsigs);
 		} else if(strcasecmp(i->data, "NoProgressBar") == 0) {
 			show_bool("NoProgressBar", config->noprogressbar);
 
-- 
2.28.0

More information about the pacman-dev mailing list