1
0
mirror of https://github.com/moparisthebest/pacman synced 2024-11-16 22:35:09 -05:00
Commit Graph

3670 Commits

Author SHA1 Message Date
Allan McRae
2f060dec6a Report output from signature checking to debug log
Move the (possibly still temporary) output generated during signature
checking into the --debug output.

Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:36:48 -05:00
Xavier Chantry
f9505063f8 Added gpg verification options per repo to the config file.
Once we do this, add support for VerifySig to pactest. We just check if
the repo name contains Always, Never or Optional to determine the value
of VerifySig. The default is Never. pacman uses Always by default but
this is not suitable for pactest.

Original-work-by: shankar <jatheendra@gmail.com>
Signed-off-by: Xavier Chantry <shiningxc@gmail.com>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:35:50 -05:00
Dan McGee
18c6946961 Remove unnecessary sanity check on db->setserver
We pass in a db object, so no need to go looking for it in the list on
the handle. This is a remnant of when we passed in a treename, more than
likely.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:33:31 -05:00
Chris Brannon
ac88e90557 Let pacman specify GnuPG's home directory.
GnuPG looks for configuration files and keyrings in its home directory.
For a user, that is typically ~/.gnupg.
This patch causes pacman to use /etc/pacman.d/gnupg/ as the default
GnuPG home.  One may override the default using --gpgdir on the command-line
or GPGDir in pacman's configuration file.

Signed-off-by: Chris Brannon <cmbrannon@cox.net>
Signed-off-by: Xavier Chantry <shiningxc@gmail.com>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:22:36 -05:00
Dan McGee
5b962f0d1c Add a pactest showing failed GPG verification
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:16:29 -05:00
Dan McGee
39c75c7000 Integrate GPGME into libalpm
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:16:29 -05:00
Dan McGee
061948597d Add some error codes for signature verification
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:16:29 -05:00
Dan McGee
4ae902ec5f Add signature directory as option on libalpm handle
This will serve as the home directory we pass to GPGME when making calls so
we can have a libalpm-utilized keyring.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:16:29 -05:00
Dan McGee
39ce9b3afc Actually read PGPSIG field in sync DB code
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 03:07:08 -05:00
Dan McGee
f7b577dc77 Merge branch 'gpg-libalpm-basics' 2011-03-23 02:34:51 -05:00
Dan McGee
cedc633757 Add a few pactests for PGP integration
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:33:07 -05:00
Dan McGee
8584c25903 Remove libfetch error code
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:29:35 -05:00
Dan McGee
88746ec067 Read in .sig files when opening a package file
If a .sig file sits side-by-side on the filesystem with a package archive,
read it in during the package struct creation process so we can verify it at
a later time if necessary.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23 02:22:00 -05:00
Dan McGee
39da0198cd Add PGP signature support to pactest
Allow pkg.pgpsig to end up in the created sync databases.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:22:00 -05:00
Dan McGee
60159c2e77 Allow PGP signature to be read from sync database
Add a new field to the package struct to hold PGP information and
instruct db_read to pick it up from the database. It is currently unused
internally but this is the first step.

Due to the fact that we store the PGP sig as binary data, we need to store
both the data and the length so we have a small utility struct to assist us.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23 02:22:00 -05:00
Dan McGee
9f2a3023f8 Add base64 algorithms from PolarSSL to libalpm
We will need these for GPG functionality (decoding the base64 encoded
signature stored in the databases).

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23 02:22:00 -05:00
Dan McGee
0908533127 Merge branch 'gpg-build-tools' 2011-03-23 02:18:57 -05:00
Dan McGee
a31d091fb3 repo-add: add sha256sum values to repo database
Implements FS#23103. Also modify libalpm so it ignores this value
without any warning as we know it is likely to exist.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:18:48 -05:00
Dan McGee
36747e4a7f Merge branch 'gpg-pacman-key' 2011-03-23 02:17:58 -05:00
Dan McGee
3df49acb30 Merge branch 'maint' 2011-03-23 02:16:13 -05:00
Dan McGee
115bf1bf9f Bump version to 3.5.1
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:13:49 -05:00
Dan McGee
87fbbdc649 Updated 3.5.1 translations from Transifex
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:12:36 -05:00
Slobodan Terzić
02945ca7ad Add new Serbian translation from Transifex
Thanks!

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:12:21 -05:00
Dan McGee
c46f21af0a 3.5.1 NEWS updates
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:07:47 -05:00
Dan McGee
7d899910c5 Documentation consistency fixes
Fix the way we were referring to paths (use ``), .pac* extensions (use
''), and other general things across our main manpages.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:07:47 -05:00
Dan McGee
5eca2fbdf1 Fix documentation typo in makepkg.8
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 02:07:47 -05:00
Dan McGee
b625d03dd6 pacman-key manpage updates
Make consistent in formatting, syntax, and prose with the rest of our
documentation.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 01:59:43 -05:00
Dan McGee
964e8c5bf2 pacman-key help, round three
Make it actually like all our other tools rather than some homegrown
format. Also make it translator friendly by not wrapping messages across
lines in different strings.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 01:59:42 -05:00
Guillaume Alaux
482da2eceb Add man-page for pacman-key
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23 01:59:42 -05:00
Allan McRae
5a89a12aa0 pacman-key: improve usage output
Make the usage output display nicely on 80 character width terminals.

Also fix parsing of "-h" and "-v" options and avoid root check when
run with no commands.

Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23 01:59:42 -05:00
Denis A. Altoé Falqueto
422925a65e pacman-key: remake of --reload command
The --reload command was refactored to allow a more flexible management.
There are two sets of keys that will be added, one that will be
removed and one that will be kept.

The set of keys to be kept are configured in pacman.conf, with the
option HoldKeys, with the same meaning of HoldPkgs. It can be repeated
and several values can be put in the same entry.

The new behavior allows a key to be marked for removal, but the user
can decide if that key must be kept. For example, if a developer has
a public repository, signed with his own key, that key must be added
to the HoldKeys option. If the key is marked for removal from pacman's
keyring, it will not be removed for the users that have configured
HoldKeys correctly.

There are other minor fixes, mainly in the handling of --add command
when there is no aditional parameter. In that case, pacman-key will
behave just like gpg, adding the contents of stdin into pacman's keyring.

Signed-off-by: Denis A. Altoé Falqueto <denisfalqueto@gmail.com>
2011-03-23 01:59:42 -05:00
Denis A. Altoé Falqueto
ae20f88202 pacman-key: keyring management tool
The script pacman-key will manage pacman's keyring. It imports, exports,
fetches from keyservers, helps in the process of trusting and updates
the trust database.

Signed-off-by: Denis A. Altoé Falqueto <denisfalqueto@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23 01:59:42 -05:00
Allan McRae
93591d428f repo-add: add symlink to signature file
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23 00:26:54 -05:00
Dan McGee
f0f8319769 repo-add: Fix up usage with GPG options
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 00:26:54 -05:00
Dan McGee
38f94da47d repo-add: add -v/--verify option
This is intended to verify an existing signature on a database before
making further changes to it and performing updates. Rarely would you
use this without immediately resigning it via the -s/--sign option.
Instead, it is intended as a "chain of trust" operation where the
previous signature is verified to give you some sense that what you sign
off on is also safe.

Still todo: don't make changes unless the signature is not only good,
but also in the accepted list of keys.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 00:26:54 -05:00
Dan McGee
a4120f2015 repo-add: allow signing of the package database
In order to be fully secure, we can't only sign packages. We also need
to sign our repository metadata to prevent database falsification,
dependency injection, etc. Add an '-s/--sign' option that allows this
functionality, and will generate a .sig file side-by-side with the
package database.

While at it, fix the issue where a signature file would never be found
because of 'cd' madness (this needs fixing in another commit).

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 00:26:54 -05:00
Geoffroy Carrier
8fde399fe6 Add PGPSIG field in repo-add
Use base64 encoding to store the value in the database if a .sig file exists
for the package being added.

Signed-off-by: Geoffroy Carrier <geoffroy.carrier@koon.fr>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23 00:26:54 -05:00
Allan McRae
2f2f53ddc9 makepkg: place signature symlink in build dir
Be consistent in package and signature placements when using
PKGDEST.

Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-22 23:52:00 -05:00
Dan McGee
82e22596d8 makepkg: allow signatures to work with split packages
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-22 23:52:00 -05:00
Geoffroy Carrier
ee34869e89 Add GPG signature support to makepkg
This is a rather simple patch to add signing support to makepkg. Add a
create_signature() to makepkg, add a 'sign' BUILDENV option in makepkg.conf,
and document the changes in the makepkg.conf manpage.

Signed-off-by: Geoffroy Carrier <geoffroy.carrier@koon.fr>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-22 23:52:00 -05:00
Dan McGee
7b60a639d1 Minor code cleanups
Wrap lines of long length, noticed while creating and messing around
with some of the other maint branch patches.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 09:02:03 -05:00
Dan McGee
110eb314f0 Ensure package removal list does not contain duplicates
Noticed with the openoffice/libreoffice replacement scheme where many
packages are listed as replacements to one package, thus electing it for
removal multiple times. Ensure a given package is not already present
before placing it in the removal list.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 08:59:59 -05:00
Dan McGee
834ba4da93 Fix line_offset not being reset in _alpm_archive_fgets()
This is a rather serious data corruption issue that luckily manifested
itself today in a noticable way. A package in testing had replaces
entries read in as ["%RE pkgname", "%RE"] which was clearly wrong. This
happens when we hit the end of an archive block, do not have a newline,
and have to continue reading from the next block to complete the line.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 08:52:24 -05:00
Dan McGee
0ff52b6845 Merge branch 'maint'
Conflicts due to change in return calling style.

Conflicts:
	src/pacman/pacman.c
	src/pacman/sync.c
2011-03-21 07:53:13 -05:00
Lukas Fleischer
c67c864ffd Don't initialize progress to zero before calling curl_easy_perform().
Drawing progress bars before calling curl_easy_perform() is needless as
the curl progress callback is called with zero progress before actually
downloading the file anyways. Fixes display of "0%" progress bars when
sync'ing package databases that are already up to date.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 07:51:27 -05:00
Dan McGee
488f341f57 Ensure dlcb is defined before calling it
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 07:50:31 -05:00
Allan McRae
b0bb4f9024 Do not query group selection when using -Sp
Remove unnecessary output when using -Sp.  Fixes FS#23340.

Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 07:43:55 -05:00
Allan McRae
9cab9807e0 Some more zsh completion tidy up
Changes for consistency across functions

Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 07:40:49 -05:00
Allan McRae
c3e72e11b6 Fix zsh completion
Fixes completion for "pacman -S <tab>" and "pacman -S repo/<tab>"

Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 07:40:27 -05:00
Dan McGee
fd3acff5e6 Restore --debug/--verbose output without a primary operation
This is by no means a guarantee of this behavior remaining the same in
the future, but it is easy enough to do what we used to in this case by
delaying any sort of error condition until after we are completely done
parsing options. Addresses FS#23370.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-21 07:40:13 -05:00