1
0
mirror of https://github.com/moparisthebest/pacman synced 2024-11-10 11:35:00 -05:00
Commit Graph

71 Commits

Author SHA1 Message Date
Florian Pritz
f7558856b1 signing.c: warn if time went backwards
GPG signatures have a timestamp which is checked and if it's in the
future, verification will fail.

Dan: slight wording change.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
2012-09-18 08:35:53 -05:00
Dan McGee
ded66fbb62 Fix issues with unintialized variable value usage
Detected by clang scan-build static code analyzer.

* Don't attempt to free an uninitialized gpgme key variable
* Initialize answer variable before asking frontend a question
* Pass by reference instead of value if uninitialized fields are
  possible in download signal handler code
* Ensure we never call strlen() on NULL payload->remote_name value

Signed-off-by: Dan McGee <dan@archlinux.org>
2012-04-09 00:46:54 -05:00
Dave Reisner
be0e044404 signing: cope with gpg2's failure at life
For key searches only, gpg2 will fail to lookup any and all keys that
are not prefixed with 0x.

Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2012-03-28 09:55:14 -05:00
Dan McGee
562109c0e8 Update copyright on changed files since beginning of year
Signed-off-by: Dan McGee <dan@archlinux.org>
2012-01-18 22:25:27 -06:00
Dan McGee
def9e45aff Search for PGP subkeys in a keyserver-acceptable way
PGP keyservers are pieces of sh** when it comes to searching for
subkeys, and only allow it if you submit an 8-character fingerprint
rather than the recommended and less chance of collision 16-character
fingerprint.

Add a second remote lookup for the 8-character version of a key ID if we
don't find anything the first time we look up the key. This fixes
FS#27612 and the deficiency has been sent upstream to the GnuPG users
mailing list as well.

Signed-off-by: Dan McGee <dan@archlinux.org>
2012-01-05 16:34:51 -06:00
Dan McGee
bac670ddc9 Show an error message on failed remote key lookup
The absolutely terrible part about this is the failure on GPGME's part
to distinguish between "key not found" and "keyserver timeout". Instead,
it returns the same silly GPG_ERR_EOF in both cases (why isn't
GPG_ERR_TIMEOUT being used?), leaving us helpless to tell them apart.

Spit out a generic enough error message that covers both cases;
unfortunately we can't provide much guidance to the user because we
aren't sure what actually happened.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-17 09:38:35 -05:00
Dan McGee
12642a299b Add user-visible warning message if public keyring not found
This should help point users in the right direction if they have not
initialized via pacman-key just yet.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-12 17:54:08 -05:00
Dan McGee
2a18171afa signing: delay gpgme_init() until latest possible moment
In the default configuration, we can enter the signing code but still
have nothing to do with GPGME- for example, if database signatures are
optional but none are present. Delay initialization of GPGME until we
know there is a signature file present or we were passed base64-encoded
data.

This also makes debugging with valgrind a lot easier as you don't have
to deal with all the GPGME error noise because their code leaks like a
sieve.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-12 14:20:47 -05:00
Dan McGee
fa929e8258 Fix compilation using --without-gpgme
I'm really good at breaking this on a regular basis. If only we had some
sort of automated testing for this...

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-27 09:15:36 -05:00
Dan McGee
b242b2d050 Remove unnecessary logger
This is just a wrapper function; the real function we call logs an
almost identical line.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-27 09:08:01 -05:00
Dan McGee
2517ba3303 Update Doxyfile and fix some documentation errors caught by Doxygen
A few parameters were outdated or wrongly named, and a few things were
explicitly linked that Doxygen wasn't able to resolve.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 16:37:36 -05:00
Dan McGee
1e0ed133f4 Handle key import errors correctly and with good error messages
This adds calls to gpgme_op_import_result() which we were not looking at
before to ensure the key was actually imported. Additionally, we do some
preemptive checks to ensure the keyring is even writable if we are going
to prompt the user to add things to it.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 16:01:10 -05:00
Dan McGee
907e8af5be signing: be consistent with returning -1 for error cases
This also fixes a segfault found by dave when key_search is
unsuccessful; the key_search return code documentation has also been
updated to reflect reality.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 16:01:05 -05:00
Dan McGee
6767de5380 Add status and check for key being disabled
Because we aren't using gpgv and a dedicated keyring that is known to be
all safe, we should honor this flag being set on a given key in the
keyring to know to not honor it. This prevents a key from being
reimported that a user does not want to be used- instead of deleting,
one should mark it as disabled.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 11:14:35 -05:00
Dan McGee
765178c5ba Implement PGP key search and import
Add two new static methods, key_search() and key_import(), to our
growing list of signing code.

If we come across a key we do not have, attempt to look it up remotely
and ask the user if they wish to import said key. If they do, flag the
validation process as a potential 'retry', meaning it might succeed the
next time it is ran.

These depend on you having a 'keyserver hkp://foo.example.com' line in
your gpg.conf file in your gnupg home directory to function.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 11:14:31 -05:00
Dan McGee
0ef7129a4a signing: document most undocumented functions
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 11:06:03 -05:00
Dan McGee
5e7875ae6a Fix possible segfault if siglist was empty
If siglist->results wasn't a NULL pointer, we would try to free it
anyway, even if siglist->count was zero. Only attempt to free this
pointer if we had results and the pointer is valid.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-22 10:31:28 -05:00
Dan McGee
ec790ced7c signing: add a process and retry loop for database signatures
In reality, there is no retrying that happens as of now because we don't
have any import or changing of the keyring going on, but the code is set
up so we can drop this in our new _alpm_process_siglist() function. Wire
up the basics to the sync database validation code, so we see something
like the following:

    $ pacman -Ss unknowntrust
    error: core: signature from "Dan McGee <dpmcgee@gmail.com>" is unknown trust
    error: core: signature from "Dan McGee <dpmcgee@gmail.com>" is unknown trust
    error: database 'core' is not valid (invalid or corrupted database (PGP signature))

    $ pacman -Ss missingsig
    error: core: missing required signature
    error: core: missing required signature
    error: database 'core' is not valid (invalid or corrupted database (PGP signature))

Yes, there is some double output, but this should be fixable in the
future.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-20 10:23:11 -05:00
Dan McGee
994cb4da4f Allow our PGP helper method to pass back the signature results
This will make its way up the call chain eventually to allow trusting
and importing of keys as necessary.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-20 10:23:11 -05:00
Dan McGee
a7d7798032 Fix build without gpgme
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-18 15:34:28 -05:00
Dan McGee
7ea1ea88bb More package operations cleanup
Neither deltas nor filename attributes are ever present in the local
database, so we can remove all of the indirection for accessing these
attributes.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-09-02 22:07:06 -05:00
Dan McGee
c7e4005e5c Add more info to debug key display
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-28 19:52:10 -05:00
Dan McGee
de43d00db0 Refactor signature result return format
I was trying to take a shortcut and not introduce a wrapper struct for
the signature results, so packed it all into alpm_sigresult_t in the
first iteration. However, this is painful when one wants to add new
fields or only return information regarding a single signature.

Refactor the type into a few components which are exposed to the end
user, and will allow a lot more future flexibility. This also exposes
more information regarding the key to the frontend than was previously
available.

The "private" void *data pointer is used by the library to store the
actual key object returned by gpgme; it is typed this way so the
frontend has no expectations of what is there, and so we don't have any
hard gpgme requirement in our public API.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-28 19:51:54 -05:00
Diogo Sousa
12387ca4e5 lib/libalpm/signing.c: Fix memory leak in decode_signature() in case of error.
Signed-off-by: Diogo Sousa <diogogsousa@gmail.com>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-28 19:50:22 -05:00
Dan McGee
5a07b75b22 Always process validity value returned by gpgme
Don't force 'never'; you should be checking both the status and validity
anyway.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-25 17:41:47 -05:00
Dan McGee
be72e10015 Fix small memory leak in sig check code
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-25 17:41:27 -05:00
Dan McGee
e1dce078b2 Remove argument from check_pgp_helper
This one wasn't all that necessary as we only used it in one place in
the function, which can be checked easily enough at the call site.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-25 16:12:49 -05:00
Dan McGee
d9e5dab6ac Remove alpm_option_get_* usage from backend
These are all available directly on the handle without indirection.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-19 19:12:21 -05:00
Dan McGee
b952a3b08c Fix compilation using --without-gpgme
This function is used regardless of whether gpgme support is enabled, so
make sure it is always accessible.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-16 19:51:21 -05:00
Dan McGee
11f4a7a48e Only check necessary signatures and checksums
The precedence goes as follows: signature > sha256sum > md5sum

Add some logic and helper methods to check what we have available when
loading a package, and then only check what is necessary to verify the
package. This should speed up sync database verifies as we no longer
will be doing both a checksum and a signature validation.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15 15:15:11 -05:00
Dan McGee
fa4aad5b50 decode_signature: guess signature data length for efficiency
We may end up allocating 1 or 2 extra bytes this way, but it is worth it
to simplify the method and not have to call base64_decode() a second
time. Use the hueristic that base64 encoding produces 3 bytes of decoded
data for every 4 bytes of encoded data.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15 12:11:59 -05:00
Dan McGee
83f076d3a8 Update base64 PolarSSL code
Also adjust our code using it for the size_t adjustments made by
upstream.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15 06:24:49 -05:00
Dan McGee
66d9995711 Revamp signing checks
This ensures we are actually making correct use of the information gpgme
is returning to us. Marginal being allowed was obvious before, but
Unknown should deal with trust level, and not the presence or lack
thereof of a public key to validate the signature with.

Return status and validity information in two separate values so check
methods and the frontend can use them independently. For now, we treat
expired keys as valid, while expired signatures are invalid.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-28 18:46:52 -05:00
Florian Pritz
dad96ccce2 replace access() calls for debug info where applicable
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18 10:44:28 -05:00
Florian Pritz
89c070b263 signing.c: check if needed files are readable
If we can't read the keyring, gpgme will output confusing debug
information and fail to verify the signature, so we should log some
debug information.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18 10:44:07 -05:00
Allan McRae
c0fe1743e5 Fix compilation without gpgme
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18 10:36:41 -05:00
Dan McGee
07502f2d82 Allow frontend access to signature verification information
Show output in -Qip for each package signature, which includes the UID
string from the key ("Joe User <joe@example.com>") and the validity of
said key. Example output:

Signatures     : Valid signature from "Dan McGee <dpmcgee@gmail.com>"
                 Unknown signature from "<Key Unknown>"
                 Invalid signature from "Dan McGee <dpmcgee@gmail.com>"

Also add a backend alpm_sigresult_cleanup() function since memory
allocation took place on this object, and we need some way of freeing
it.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05 10:13:20 -05:00
Dan McGee
e8443b1685 Correctly check the GPG error codes
The error code is in fact a bitmask value of an error code and an error
source, so use the proper function to get only the relevant bits. For
the no error case, this shouldn't ever matter, but it bit me when I was
trying to compare the error code to other values and wondered why it
wasn't working, so set a good example.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05 10:13:20 -05:00
Dan McGee
7af0ab1cde signing: move to new signing verification and return scheme
This gives us more granularity than the former Never/Optional/Always
trifecta. The frontend still uses these values temporarily but that will
be changed in a future patch.

* Use 'siglevel' consistenly in method names, 'level' as variable name
* The level becomes an enum bitmask value for flexibility
* Signature check methods now return a array of status codes rather than
  a simple integer success/failure value. This allows callers to
  determine whether things such as an unknown signature are valid.
* Specific signature error codes mostly disappear in favor of the above
  returned status code; pm_errno is now set only to PKG_INVALID_SIG or
  DB_INVALID_SIG as appropriate.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05 10:13:20 -05:00
Allan McRae
afc96f2ab3 Prefix _alpm_errno_t members with ALPM
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-07-02 02:01:39 +10:00
Allan McRae
ca43fdd92f Prefix alpm_loglevel_t members with ALPM
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-07-02 02:01:38 +10:00
Dan McGee
cf1401a04d signing: check validity of all available signatures
Change the check into a loop over all signatures present and returned by
GPGME. Also modify the return values and checks slightly now that I know
a little bit more about what type of values are returned.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-30 17:25:53 -05:00
Dan McGee
23a2d2c16a Make alpm_db_get_sigverify_level() public
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-30 16:16:41 -05:00
Allan McRae
8a04bc25a1 Rename pmpkg_t to alpm_pkg_t
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-06-28 23:26:39 +10:00
Allan McRae
939d5a9511 Rename pmdb_t to alpm_db_t
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-06-28 14:16:12 +10:00
Allan McRae
64c1cf7921 Rename pmhandle_t to alpm_handle_t
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-06-28 14:04:00 +10:00
Dan McGee
1cd6515af0 API: change 'signaturedir' to 'gpgdir'
This is more in line with reality and what we have our makepkg, etc.
options named anyway.

Original-patch-by: Kerrick Staley <mail@kerrickstaley.com>
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-15 12:02:29 -05:00
Dan McGee
2f5f157274 Rename and rework signing helper methods
* Don't name static methods with a gpgme_ prefix to avoid confusion with
  methods provided by the library. These are static and local to our
  file so just give them sane non-prefixed names.
* Rework sigsum_test_bit() to not require assignment.
* Don't balk if there is more than one signature available (for now,
  only check the first).
* Fix error codes in publicly visible methods to return -1, not 0, if pkg
  or db are not provided.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-14 10:18:43 -05:00
Dan McGee
ee015f086f Ensure handle is valid and pm_errno is reset when calling into API
We didn't do due diligence before and ensure prior pm_errno values
weren't influencing what happened in further ALPM calls. I observed one
case of early setup code setting pm_errno to PM_ERR_WRONG_ARGS and that
flag persisting the entire time we were calling library code.

Add a new CHECK_HANDLE() macro that does two things: 1) ensures the
handle variable passed to it is non-NULL and 2) clears any existing
pm_errno flag set on the handle. This macro can replace many places we
used the ASSERT(handle != NULL, ...) pattern before.

Several other other places only need a simple 'set to zero' of the
pm_errno field.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-14 10:01:08 -05:00
Dan McGee
52bffd2457 Switch all logging to use handle directly
This is the last user of our global handle object. Once again the diff
is large but the functional changes are not.

Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-13 19:41:16 -05:00