Added gpg verification options per repo to the config file.

Once we do this, add support for VerifySig to pactest. We just check if
the repo name contains Always, Never or Optional to determine the value
of VerifySig. The default is Never. pacman uses Always by default but
this is not suitable for pactest.

Original-work-by: shankar <jatheendra@gmail.com>
Signed-off-by: Xavier Chantry <shiningxc@gmail.com>
Signed-off-by: Dan McGee <dan@archlinux.org>

lib/libalpm/alpm.h

@@ -251,6 +251,15 @@ alpm_list_t *alpm_pkg_unused_deltas(pmpkg_t *pkg);
 
 int alpm_pkg_check_pgp_signature(pmpkg_t *pkg);
 
+/* GPG signature verification option */
+typedef enum _pgp_verify_t {
+	PM_PGP_VERIFY_ALWAYS,
+	PM_PGP_VERIFY_OPTIONAL,
+	PM_PGP_VERIFY_NEVER
+} pgp_verify_t;
+
+int alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify);
+
 /*
  * Deltas
  */

lib/libalpm/db.c

@@ -181,6 +181,24 @@ int SYMEXPORT alpm_db_setserver(pmdb_t *db, const char *url)
 
 	return 0;
 }
+/** Set the verify gpg signature option for a database.
+ * @param db database pointer
+ * @param verify enum pgp_verify_t
+ * @return 0 on success, -1 on error (pm_errno is set accordingly)
+ */
+int SYMEXPORT alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify)
+{
+	ALPM_LOG_FUNC;
+
+	/* Sanity checks */
+	ASSERT(db != NULL, RET_ERR(PM_ERR_DB_NULL, -1));
+
+	db->pgp_verify = verify;
+	_alpm_log(PM_LOG_DEBUG, "adding VerifySig option to database '%s': %d\n",
+			db->treename, verify);
+
+	return(0);
+}
 
 /** Get the name of a package database
  * @param db pointer to the package database

lib/libalpm/db.h

@@ -60,6 +60,7 @@ struct __pmdb_t {
 	pmpkghash_t *pkgcache;
 	alpm_list_t *grpcache;
 	alpm_list_t *servers;
+	pgp_verify_t pgp_verify;
 
 	struct db_operations *ops;
 };

lib/libalpm/signing.c

@@ -168,6 +168,8 @@ int _alpm_gpgme_checksig(const char *pkgpath, const pmpgpsig_t *sig)
 
 	if(gpgsig->summary & GPGME_SIGSUM_VALID) {
 		/* good signature, continue */
+		_alpm_log(PM_LOG_DEBUG, _("Package %s has a valid signature.\n"),
+				pkgpath);
 	} else if(gpgsig->summary & GPGME_SIGSUM_GREEN) {
 		/* 'green' signature, not sure what to do here */
 		_alpm_log(PM_LOG_WARNING, _("Package %s has a green signature.\n"),

lib/libalpm/sync.c

@@ -847,11 +847,17 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data)
 			continue;
 		}
 		/* check PGP signature next */
-		if(_alpm_gpgme_checksig(filepath, pgpsig) != 0) {
-			errors++;
-			*data = alpm_list_add(*data, strdup(filename));
-			FREE(filepath);
-			continue;
+		pmdb_t *sdb = alpm_pkg_get_db(spkg);
+
+		if(sdb->pgp_verify != PM_PGP_VERIFY_NEVER) {
+			int ret = _alpm_gpgme_checksig(filepath, pgpsig);
+			if((sdb->pgp_verify == PM_PGP_VERIFY_ALWAYS && ret != 0) ||
+					(sdb->pgp_verify == PM_PGP_VERIFY_OPTIONAL && ret == 1)) {
+				errors++;
+				*data = alpm_list_add(*data, strdup(filename));
+				FREE(filepath);
+				continue;
+			}
 		}
 		/* load the package file and replace pkgcache entry with it in the target list */
 		/* TODO: alpm_pkg_get_db() will not work on this target anymore */
@@ -869,9 +875,12 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data)
 		i->data = pkgfile;
 		_alpm_pkg_free_trans(spkg); /* spkg has been removed from the target list */
 	}
+
 	PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", 100,
 			numtargs, current);
 	EVENT(trans, PM_TRANS_EVT_INTEGRITY_DONE, NULL, NULL);
+
+
 	if(errors) {
 		pm_errno = PM_ERR_PKG_INVALID;
 		goto error;

src/pacman/pacman.c

@@ -1241,6 +1241,24 @@ static int _parseconfig(const char *file, const char *givensection,
 					ret = 1;
 					goto cleanup;
 				}
+			} else if(strcmp(key, "VerifySig") == 0) {
+				if (strcmp(value, "Always") == 0) {
+					ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_ALWAYS);
+				} else if (strcmp(value, "Optional") == 0) {
+					ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_OPTIONAL);
+				} else if (strcmp(value, "Never") == 0) {
+					ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_NEVER);
+				} else {
+					pm_printf(PM_LOG_ERROR, _("invalid value for 'VerifySig' : '%s'\n"), value);
+					ret = 1;
+					goto cleanup;
+				}
+				if (ret != 0) {
+					pm_printf(PM_LOG_ERROR, _("could not add pgp verify option to database '%s': %s (%s)\n"),
+							alpm_db_get_name(db), value, alpm_strerrorlast());
+					goto cleanup;
+				}
+				pm_printf(PM_LOG_DEBUG, "config: VerifySig for %s: %s\n",alpm_db_get_name(db), value);
 			} else {
 				pm_printf(PM_LOG_WARNING,
 						_("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"),

test/pacman/pmdb.py

@@ -89,6 +89,12 @@ class pmdb(object):
     def __str__(self):
         return "%s" % self.treename
 
+    def getverify(self):
+        for value in "Always","Never","Optional":
+            if value in self.treename:
+                return value
+        return "Never"
+
     def getpkg(self, name):
         """
         """

test/pacman/tests/sign001.py

@@ -2,7 +2,7 @@ self.description = "Add a signature to a package DB"
 
 sp = pmpkg("pkg1")
 sp.pgpsig = "asdfasdfsdfasdfsdafasdfsdfasd"
-self.addpkg2db("sync", sp)
+self.addpkg2db("sync+Always", sp)
 
 self.args = "-Ss"
 

test/pacman/tests/sign002.py

@@ -2,7 +2,7 @@ self.description = "Verify a signature in a sync DB (failure)"
 
 sp = pmpkg("pkg1")
 sp.pgpsig = "iEYEABECAAYFAkhMOggACgkQXC5GoPU6du2WVQCffVxF8GKXJIY4juJBIw/ljLrQxygAnj2QlvsUd7MdFekLX18+Ov/xzgZ1"
-self.addpkg2db("sync", sp)
+self.addpkg2db("sync+Always", sp)
 
 self.args = "-S %s" % sp.name
 

test/pacman/util.py

@@ -132,8 +132,9 @@ def mkcfgfile(filename, root, option, db):
         if key != "local":
             value = db[key]
             data.append("[%s]\n" \
+                    "VerifySig = %s\n" \
                     "Server = file://%s" \
-                     % (value.treename,
+                     % (value.treename, value.getverify(), \
                         os.path.join(root, SYNCREPO, value.treename)))
             for optkey, optval in value.option.iteritems():
                 data.extend(["%s = %s" % (optkey, j) for j in optval])