[ostree] repo: Change GPG verification policy
- From: Matthew Barnes <mbarnes src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [ostree] repo: Change GPG verification policy
- Date: Wed, 10 Jun 2015 16:31:29 +0000 (UTC)
commit 9f1b50d41c2704653f78735bc678f80bbe192a63
Author: Matthew Barnes <mbarnes redhat com>
Date: Fri Jun 5 12:45:41 2015 -0400
repo: Change GPG verification policy
The global keyring directory (trusted.gpg.d) is deprecated. Only use it
when a specified remote does NOT have its own keyring, or when verifying
local repository objects.
Note, because mixing in the global keyring directory is now an explicit
choice, OstreeGpgVerifier no longer needs to implement GInitableIface.
src/libostree/ostree-gpg-verifier.c | 78 ++++++++++++++++-------------------
src/libostree/ostree-gpg-verifier.h | 7 ++-
src/libostree/ostree-repo.c | 21 +++++++---
3 files changed, 55 insertions(+), 51 deletions(-)
---
diff --git a/src/libostree/ostree-gpg-verifier.c b/src/libostree/ostree-gpg-verifier.c
index cb6d8f5..eda69dc 100644
--- a/src/libostree/ostree-gpg-verifier.c
+++ b/src/libostree/ostree-gpg-verifier.c
@@ -40,10 +40,7 @@ struct OstreeGpgVerifier {
GList *keyrings;
};
-static void _ostree_gpg_verifier_initable_iface_init (GInitableIface *iface);
-
-G_DEFINE_TYPE_WITH_CODE (OstreeGpgVerifier, _ostree_gpg_verifier, G_TYPE_OBJECT,
- G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE, _ostree_gpg_verifier_initable_iface_init))
+G_DEFINE_TYPE (OstreeGpgVerifier, _ostree_gpg_verifier, G_TYPE_OBJECT)
static void
ostree_gpg_verifier_finalize (GObject *object)
@@ -71,42 +68,6 @@ _ostree_gpg_verifier_init (OstreeGpgVerifier *self)
{
}
-static gboolean
-ostree_gpg_verifier_initable_init (GInitable *initable,
- GCancellable *cancellable,
- GError **error)
-{
- gboolean ret = FALSE;
- OstreeGpgVerifier *self = (OstreeGpgVerifier*)initable;
- const char *default_keyring_path = g_getenv ("OSTREE_GPG_HOME");
- g_autoptr(GFile) default_keyring_dir = NULL;
-
- if (!default_keyring_path)
- default_keyring_path = DATADIR "/ostree/trusted.gpg.d/";
-
- if (g_file_test (default_keyring_path, G_FILE_TEST_IS_DIR))
- {
- default_keyring_dir = g_file_new_for_path (default_keyring_path);
- if (!_ostree_gpg_verifier_add_keyring_dir (self, default_keyring_dir,
- cancellable, error))
- {
- g_prefix_error (error, "Reading keyring directory '%s'",
- gs_file_get_path_cached (default_keyring_dir));
- goto out;
- }
- }
-
- ret = TRUE;
- out:
- return ret;
-}
-
-static void
-_ostree_gpg_verifier_initable_iface_init (GInitableIface *iface)
-{
- iface->init = ostree_gpg_verifier_initable_init;
-}
-
static void
verify_result_finalized_cb (gpointer data,
GObject *finalized_verify_result)
@@ -323,9 +284,40 @@ _ostree_gpg_verifier_add_keyring_dir (OstreeGpgVerifier *self,
return ret;
}
+gboolean
+_ostree_gpg_verifier_add_global_keyring_dir (OstreeGpgVerifier *self,
+ GCancellable *cancellable,
+ GError **error)
+{
+ const char *global_keyring_path = g_getenv ("OSTREE_GPG_HOME");
+ g_autoptr(GFile) global_keyring_dir = NULL;
+ gboolean ret = FALSE;
+
+ g_return_val_if_fail (OSTREE_IS_GPG_VERIFIER (self), FALSE);
+
+ if (global_keyring_path == NULL)
+ global_keyring_path = DATADIR "/ostree/trusted.gpg.d/";
+
+ if (g_file_test (global_keyring_path, G_FILE_TEST_IS_DIR))
+ {
+ global_keyring_dir = g_file_new_for_path (global_keyring_path);
+ if (!_ostree_gpg_verifier_add_keyring_dir (self, global_keyring_dir,
+ cancellable, error))
+ {
+ g_prefix_error (error, "Reading keyring directory '%s'",
+ gs_file_get_path_cached (global_keyring_dir));
+ goto out;
+ }
+ }
+
+ ret = TRUE;
+
+out:
+ return ret;
+}
+
OstreeGpgVerifier*
-_ostree_gpg_verifier_new (GCancellable *cancellable,
- GError **error)
+_ostree_gpg_verifier_new (void)
{
- return g_initable_new (OSTREE_TYPE_GPG_VERIFIER, cancellable, error, NULL);
+ return g_object_new (OSTREE_TYPE_GPG_VERIFIER, NULL);
}
diff --git a/src/libostree/ostree-gpg-verifier.h b/src/libostree/ostree-gpg-verifier.h
index 54be424..209f734 100644
--- a/src/libostree/ostree-gpg-verifier.h
+++ b/src/libostree/ostree-gpg-verifier.h
@@ -37,8 +37,7 @@ typedef struct OstreeGpgVerifier OstreeGpgVerifier;
GType _ostree_gpg_verifier_get_type (void);
-OstreeGpgVerifier *_ostree_gpg_verifier_new (GCancellable *cancellable,
- GError **error);
+OstreeGpgVerifier *_ostree_gpg_verifier_new (void);
OstreeGpgVerifyResult *_ostree_gpg_verifier_check_signature (OstreeGpgVerifier *self,
GBytes *signed_data,
@@ -51,6 +50,10 @@ gboolean _ostree_gpg_verifier_add_keyring_dir (OstreeGpgVerifier *self,
GCancellable *cancellable,
GError **error);
+gboolean _ostree_gpg_verifier_add_global_keyring_dir (OstreeGpgVerifier *self,
+ GCancellable *cancellable,
+ GError **error);
+
void _ostree_gpg_verifier_add_keyring (OstreeGpgVerifier *self,
GFile *path);
diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
index 762d426..734f392 100644
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@@ -3745,10 +3745,9 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
GVariantIter iter;
GVariant *child;
g_autoptr (GBytes) signatures = NULL;
+ gboolean add_global_keyring_dir = TRUE;
- verifier = _ostree_gpg_verifier_new (cancellable, error);
- if (!verifier)
- goto out;
+ verifier = _ostree_gpg_verifier_new ();
if (remote_name == OSTREE_ALL_REMOTES)
{
@@ -3760,8 +3759,7 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
}
else if (remote_name != NULL)
{
- /* Add the remote's keyring file. OstreeGpgVerifier
- * will ignore it if the keyring file does not exist. */
+ /* Add the remote's keyring file if it exists. */
OstreeRemote *remote;
g_autoptr(GFile) file = NULL;
@@ -3772,11 +3770,22 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
file = g_file_get_child (self->repodir, remote->keyring);
- _ostree_gpg_verifier_add_keyring (verifier, file);
+ if (g_file_query_exists (file, cancellable))
+ {
+ _ostree_gpg_verifier_add_keyring (verifier, file);
+ add_global_keyring_dir = FALSE;
+ }
ost_remote_unref (remote);
}
+ if (add_global_keyring_dir)
+ {
+ /* Use the deprecated global keyring directory. */
+ if (!_ostree_gpg_verifier_add_global_keyring_dir (verifier, cancellable, error))
+ goto out;
+ }
+
if (keyringdir)
{
if (!_ostree_gpg_verifier_add_keyring_dir (verifier, keyringdir,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
