1
0
mirror of https://github.com/moparisthebest/pacman synced 2024-11-17 23:05:00 -05:00
Commit Graph

80 Commits

Author SHA1 Message Date
Dan McGee
369c5aa7dd Merge branch 'maint' 2012-09-18 08:36:10 -05:00
Florian Pritz
f7558856b1 signing.c: warn if time went backwards
GPG signatures have a timestamp which is checked and if it's in the
future, verification will fail.

Dan: slight wording change.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
2012-09-18 08:35:53 -05:00
Dan McGee
d7b728591a Merge branch 'maint' 2012-04-12 08:57:26 -05:00
Dan McGee
ded66fbb62 Fix issues with unintialized variable value usage
Detected by clang scan-build static code analyzer.

* Don't attempt to free an uninitialized gpgme key variable
* Initialize answer variable before asking frontend a question
* Pass by reference instead of value if uninitialized fields are
  possible in download signal handler code
* Ensure we never call strlen() on NULL payload->remote_name value

Signed-off-by: Dan McGee <dan@archlinux.org>
2012-04-09 00:46:54 -05:00
Dan McGee
4ca6590af5 Merge branch 'maint'
Conflicts:
	lib/libalpm/signing.c
	lib/libalpm/sync.c
2012-04-07 11:23:55 -05:00
Dave Reisner
be0e044404 signing: cope with gpg2's failure at life
For key searches only, gpg2 will fail to lookup any and all keys that
are not prefixed with 0x.

Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2012-03-28 09:55:14 -05:00
Dan McGee
e50c4a8837 Merge branch 'maint'
Conflicts:
	lib/libalpm/diskspace.c
	src/pacman/util.h
2012-01-23 12:20:52 -06:00
Dan McGee
562109c0e8 Update copyright on changed files since beginning of year
Signed-off-by: Dan McGee <dan@archlinux.org>
2012-01-18 22:25:27 -06:00
Dan McGee
6e8ca48cbb Reorder some operations in sig check for efficiency
We don't need to open the data to be checked if we don't have a
signature to check against, so postpone that open until we know we have
either the base64_data or a valid signature file.

Signed-off-by: Dan McGee <dan@archlinux.org>
2012-01-12 09:31:09 -06:00
Dan McGee
4f02b98338 Merge branch 'maint'
Conflicts:
	lib/libalpm/signing.c

Signed-off-by: Dan McGee <dan@archlinux.org>
2012-01-08 12:14:04 -06:00
Dan McGee
def9e45aff Search for PGP subkeys in a keyserver-acceptable way
PGP keyservers are pieces of sh** when it comes to searching for
subkeys, and only allow it if you submit an 8-character fingerprint
rather than the recommended and less chance of collision 16-character
fingerprint.

Add a second remote lookup for the 8-character version of a key ID if we
don't find anything the first time we look up the key. This fixes
FS#27612 and the deficiency has been sent upstream to the GnuPG users
mailing list as well.

Signed-off-by: Dan McGee <dan@archlinux.org>
2012-01-05 16:34:51 -06:00
Dave Reisner
d6ccd44390 include config.h via Makefiles
Ensures that config.h is always ordered correctly (first) in the
includes. Also means that new source files get this for free without
having to remember to add it.

We opt for -imacros over -include as its more portable, and the
added constraint by -imacros doesn't bother us for config.h.

This also touches the HACKING file to remove the explicit mention of
config.h as part of the includes.

Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-12-21 18:13:17 -06:00
Florian Pritz
2141b7112d add key algo to import msg
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-11-20 21:40:19 -06:00
Florian Pritz
2f96067fe7 change gpg import message to resemble gpg --list-keys
Dan: const pointers, don't worry about bitfields.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-11-20 21:39:33 -06:00
Dan McGee
bac670ddc9 Show an error message on failed remote key lookup
The absolutely terrible part about this is the failure on GPGME's part
to distinguish between "key not found" and "keyserver timeout". Instead,
it returns the same silly GPG_ERR_EOF in both cases (why isn't
GPG_ERR_TIMEOUT being used?), leaving us helpless to tell them apart.

Spit out a generic enough error message that covers both cases;
unfortunately we can't provide much guidance to the user because we
aren't sure what actually happened.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-17 09:38:35 -05:00
Dan McGee
12642a299b Add user-visible warning message if public keyring not found
This should help point users in the right direction if they have not
initialized via pacman-key just yet.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-12 17:54:08 -05:00
Dan McGee
2a18171afa signing: delay gpgme_init() until latest possible moment
In the default configuration, we can enter the signing code but still
have nothing to do with GPGME- for example, if database signatures are
optional but none are present. Delay initialization of GPGME until we
know there is a signature file present or we were passed base64-encoded
data.

This also makes debugging with valgrind a lot easier as you don't have
to deal with all the GPGME error noise because their code leaks like a
sieve.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-12 14:20:47 -05:00
Dan McGee
fa929e8258 Fix compilation using --without-gpgme
I'm really good at breaking this on a regular basis. If only we had some
sort of automated testing for this...

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-27 09:15:36 -05:00
Dan McGee
b242b2d050 Remove unnecessary logger
This is just a wrapper function; the real function we call logs an
almost identical line.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-27 09:08:01 -05:00
Dan McGee
2517ba3303 Update Doxyfile and fix some documentation errors caught by Doxygen
A few parameters were outdated or wrongly named, and a few things were
explicitly linked that Doxygen wasn't able to resolve.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 16:37:36 -05:00
Dan McGee
1e0ed133f4 Handle key import errors correctly and with good error messages
This adds calls to gpgme_op_import_result() which we were not looking at
before to ensure the key was actually imported. Additionally, we do some
preemptive checks to ensure the keyring is even writable if we are going
to prompt the user to add things to it.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 16:01:10 -05:00
Dan McGee
907e8af5be signing: be consistent with returning -1 for error cases
This also fixes a segfault found by dave when key_search is
unsuccessful; the key_search return code documentation has also been
updated to reflect reality.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 16:01:05 -05:00
Dan McGee
6767de5380 Add status and check for key being disabled
Because we aren't using gpgv and a dedicated keyring that is known to be
all safe, we should honor this flag being set on a given key in the
keyring to know to not honor it. This prevents a key from being
reimported that a user does not want to be used- instead of deleting,
one should mark it as disabled.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 11:14:35 -05:00
Dan McGee
765178c5ba Implement PGP key search and import
Add two new static methods, key_search() and key_import(), to our
growing list of signing code.

If we come across a key we do not have, attempt to look it up remotely
and ask the user if they wish to import said key. If they do, flag the
validation process as a potential 'retry', meaning it might succeed the
next time it is ran.

These depend on you having a 'keyserver hkp://foo.example.com' line in
your gpg.conf file in your gnupg home directory to function.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 11:14:31 -05:00
Dan McGee
0ef7129a4a signing: document most undocumented functions
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 11:06:03 -05:00
Dan McGee
5e7875ae6a Fix possible segfault if siglist was empty
If siglist->results wasn't a NULL pointer, we would try to free it
anyway, even if siglist->count was zero. Only attempt to free this
pointer if we had results and the pointer is valid.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 10:31:28 -05:00
Dan McGee
ec790ced7c signing: add a process and retry loop for database signatures
In reality, there is no retrying that happens as of now because we don't
have any import or changing of the keyring going on, but the code is set
up so we can drop this in our new _alpm_process_siglist() function. Wire
up the basics to the sync database validation code, so we see something
like the following:

    $ pacman -Ss unknowntrust
    error: core: signature from "Dan McGee <dpmcgee@gmail.com>" is unknown trust
    error: core: signature from "Dan McGee <dpmcgee@gmail.com>" is unknown trust
    error: database 'core' is not valid (invalid or corrupted database (PGP signature))

    $ pacman -Ss missingsig
    error: core: missing required signature
    error: core: missing required signature
    error: database 'core' is not valid (invalid or corrupted database (PGP signature))

Yes, there is some double output, but this should be fixable in the
future.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-20 10:23:11 -05:00
Dan McGee
994cb4da4f Allow our PGP helper method to pass back the signature results
This will make its way up the call chain eventually to allow trusting
and importing of keys as necessary.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-20 10:23:11 -05:00
Dan McGee
a7d7798032 Fix build without gpgme
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-18 15:34:28 -05:00
Dan McGee
7ea1ea88bb More package operations cleanup
Neither deltas nor filename attributes are ever present in the local
database, so we can remove all of the indirection for accessing these
attributes.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-02 22:07:06 -05:00
Dan McGee
c7e4005e5c Add more info to debug key display
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-28 19:52:10 -05:00
Dan McGee
de43d00db0 Refactor signature result return format
I was trying to take a shortcut and not introduce a wrapper struct for
the signature results, so packed it all into alpm_sigresult_t in the
first iteration. However, this is painful when one wants to add new
fields or only return information regarding a single signature.

Refactor the type into a few components which are exposed to the end
user, and will allow a lot more future flexibility. This also exposes
more information regarding the key to the frontend than was previously
available.

The "private" void *data pointer is used by the library to store the
actual key object returned by gpgme; it is typed this way so the
frontend has no expectations of what is there, and so we don't have any
hard gpgme requirement in our public API.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-28 19:51:54 -05:00
Diogo Sousa
12387ca4e5 lib/libalpm/signing.c: Fix memory leak in decode_signature() in case of error.
Signed-off-by: Diogo Sousa <diogogsousa@gmail.com>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-28 19:50:22 -05:00
Dan McGee
5a07b75b22 Always process validity value returned by gpgme
Don't force 'never'; you should be checking both the status and validity
anyway.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-25 17:41:47 -05:00
Dan McGee
be72e10015 Fix small memory leak in sig check code
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-25 17:41:27 -05:00
Dan McGee
e1dce078b2 Remove argument from check_pgp_helper
This one wasn't all that necessary as we only used it in one place in
the function, which can be checked easily enough at the call site.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-25 16:12:49 -05:00
Dan McGee
d9e5dab6ac Remove alpm_option_get_* usage from backend
These are all available directly on the handle without indirection.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-19 19:12:21 -05:00
Dan McGee
b952a3b08c Fix compilation using --without-gpgme
This function is used regardless of whether gpgme support is enabled, so
make sure it is always accessible.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-16 19:51:21 -05:00
Dan McGee
11f4a7a48e Only check necessary signatures and checksums
The precedence goes as follows: signature > sha256sum > md5sum

Add some logic and helper methods to check what we have available when
loading a package, and then only check what is necessary to verify the
package. This should speed up sync database verifies as we no longer
will be doing both a checksum and a signature validation.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15 15:15:11 -05:00
Dan McGee
fa4aad5b50 decode_signature: guess signature data length for efficiency
We may end up allocating 1 or 2 extra bytes this way, but it is worth it
to simplify the method and not have to call base64_decode() a second
time. Use the hueristic that base64 encoding produces 3 bytes of decoded
data for every 4 bytes of encoded data.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15 12:11:59 -05:00
Dan McGee
83f076d3a8 Update base64 PolarSSL code
Also adjust our code using it for the size_t adjustments made by
upstream.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15 06:24:49 -05:00
Dan McGee
66d9995711 Revamp signing checks
This ensures we are actually making correct use of the information gpgme
is returning to us. Marginal being allowed was obvious before, but
Unknown should deal with trust level, and not the presence or lack
thereof of a public key to validate the signature with.

Return status and validity information in two separate values so check
methods and the frontend can use them independently. For now, we treat
expired keys as valid, while expired signatures are invalid.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-28 18:46:52 -05:00
Florian Pritz
dad96ccce2 replace access() calls for debug info where applicable
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18 10:44:28 -05:00
Florian Pritz
89c070b263 signing.c: check if needed files are readable
If we can't read the keyring, gpgme will output confusing debug
information and fail to verify the signature, so we should log some
debug information.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18 10:44:07 -05:00
Allan McRae
c0fe1743e5 Fix compilation without gpgme
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18 10:36:41 -05:00
Dan McGee
07502f2d82 Allow frontend access to signature verification information
Show output in -Qip for each package signature, which includes the UID
string from the key ("Joe User <joe@example.com>") and the validity of
said key. Example output:

Signatures     : Valid signature from "Dan McGee <dpmcgee@gmail.com>"
                 Unknown signature from "<Key Unknown>"
                 Invalid signature from "Dan McGee <dpmcgee@gmail.com>"

Also add a backend alpm_sigresult_cleanup() function since memory
allocation took place on this object, and we need some way of freeing
it.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05 10:13:20 -05:00
Dan McGee
e8443b1685 Correctly check the GPG error codes
The error code is in fact a bitmask value of an error code and an error
source, so use the proper function to get only the relevant bits. For
the no error case, this shouldn't ever matter, but it bit me when I was
trying to compare the error code to other values and wondered why it
wasn't working, so set a good example.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05 10:13:20 -05:00
Dan McGee
7af0ab1cde signing: move to new signing verification and return scheme
This gives us more granularity than the former Never/Optional/Always
trifecta. The frontend still uses these values temporarily but that will
be changed in a future patch.

* Use 'siglevel' consistenly in method names, 'level' as variable name
* The level becomes an enum bitmask value for flexibility
* Signature check methods now return a array of status codes rather than
  a simple integer success/failure value. This allows callers to
  determine whether things such as an unknown signature are valid.
* Specific signature error codes mostly disappear in favor of the above
  returned status code; pm_errno is now set only to PKG_INVALID_SIG or
  DB_INVALID_SIG as appropriate.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05 10:13:20 -05:00
Allan McRae
afc96f2ab3 Prefix _alpm_errno_t members with ALPM
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-07-02 02:01:39 +10:00
Allan McRae
ca43fdd92f Prefix alpm_loglevel_t members with ALPM
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-07-02 02:01:38 +10:00