[ostree] repo: Add remote's keyring during GPG verification
- From: Matthew Barnes <mbarnes src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [ostree] repo: Add remote's keyring during GPG verification
- Date: Wed, 13 May 2015 17:13:24 +0000 (UTC)
commit a9b87ebc18d7fe0648bc4626dbf350c0b18ba470
Author: Matthew Barnes <mbarnes redhat com>
Date: Fri May 1 15:38:08 2015 -0400
repo: Add remote's keyring during GPG verification
This is pretty fugly but it at least avoids new public API.
src/libostree/ostree-repo-private.h | 10 +++
src/libostree/ostree-repo-pull.c | 14 ++--
src/libostree/ostree-repo.c | 132 +++++++++++++++++++++++++----------
3 files changed, 113 insertions(+), 43 deletions(-)
---
diff --git a/src/libostree/ostree-repo-private.h b/src/libostree/ostree-repo-private.h
index adf5ec2..7b02b12 100644
--- a/src/libostree/ostree-repo-private.h
+++ b/src/libostree/ostree-repo-private.h
@@ -199,11 +199,21 @@ OstreeGpgVerifyResult *
_ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
GBytes *signed_data,
GVariant *metadata,
+ const char *remote_name,
GFile *keyringdir,
GFile *extra_keyring,
GCancellable *cancellable,
GError **error);
+OstreeGpgVerifyResult *
+_ostree_repo_verify_commit_internal (OstreeRepo *self,
+ const char *commit_checksum,
+ const char *remote_name,
+ GFile *keyringdir,
+ GFile *extra_keyring,
+ GCancellable *cancellable,
+ GError **error);
+
gboolean
_ostree_repo_commit_loose_final (OstreeRepo *self,
const char *checksum,
diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c
index 19e8d7e..c6d4c45 100644
--- a/src/libostree/ostree-repo-pull.c
+++ b/src/libostree/ostree-repo-pull.c
@@ -968,12 +968,13 @@ scan_commit_object (OtPullData *pull_data,
{
glnx_unref_object OstreeGpgVerifyResult *result = NULL;
- result = ostree_repo_verify_commit_ext (pull_data->repo,
- checksum,
- NULL,
- NULL,
- cancellable,
- error);
+ result = _ostree_repo_verify_commit_internal (pull_data->repo,
+ checksum,
+ pull_data->remote_name,
+ NULL,
+ NULL,
+ cancellable,
+ error);
if (result == NULL)
goto out;
@@ -1926,6 +1927,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
sig_variant,
NULL,
NULL,
+ NULL,
cancellable,
error);
if (result == NULL)
diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
index 189ec90..148dfad 100644
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@@ -3561,7 +3561,7 @@ ostree_repo_sign_commit (OstreeRepo *self,
result = _ostree_repo_gpg_verify_with_metadata (self,
commit_data,
old_metadata,
- NULL, NULL,
+ NULL, NULL, NULL,
cancellable,
&local_error);
@@ -3694,10 +3694,14 @@ ostree_repo_add_gpg_signature_summary (OstreeRepo *self,
return ret;
}
+/* Special remote for _ostree_repo_gpg_verify_with_metadata() */
+static const char *OSTREE_ALL_REMOTES = "__OSTREE_ALL_REMOTES__";
+
OstreeGpgVerifyResult *
_ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
GBytes *signed_data,
GVariant *metadata,
+ const char *remote_name,
GFile *keyringdir,
GFile *extra_keyring,
GCancellable *cancellable,
@@ -3715,6 +3719,33 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
if (!verifier)
goto out;
+ if (remote_name == OSTREE_ALL_REMOTES)
+ {
+ /* Add all available remote keyring files. */
+
+ if (!_ostree_gpg_verifier_add_keyring_dir (verifier, self->repodir,
+ cancellable, error))
+ goto out;
+ }
+ else if (remote_name != NULL)
+ {
+ /* Add the remote's keyring file. OstreeGpgVerifier
+ * will ignore it if the keyring file does not exist. */
+
+ OstreeRemote *remote;
+ g_autoptr(GFile) file = NULL;
+
+ remote = ost_repo_get_remote (self, remote_name, error);
+ if (remote == NULL)
+ goto out;
+
+ file = g_file_get_child (self->repodir, remote->keyring);
+
+ _ostree_gpg_verifier_add_keyring (verifier, file);
+
+ ost_remote_unref (remote);
+ }
+
if (keyringdir)
{
if (!_ostree_gpg_verifier_add_keyring_dir (verifier, keyringdir,
@@ -3764,6 +3795,62 @@ _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
return result;
}
+/* Needed an internal version for the remote_name parameter. */
+OstreeGpgVerifyResult *
+_ostree_repo_verify_commit_internal (OstreeRepo *self,
+ const char *commit_checksum,
+ const char *remote_name,
+ GFile *keyringdir,
+ GFile *extra_keyring,
+ GCancellable *cancellable,
+ GError **error)
+{
+ OstreeGpgVerifyResult *result = NULL;
+ gs_unref_variant GVariant *commit_variant = NULL;
+ gs_unref_variant GVariant *metadata = NULL;
+ gs_unref_bytes GBytes *signed_data = NULL;
+
+ /* Load the commit */
+ if (!ostree_repo_load_variant (self, OSTREE_OBJECT_TYPE_COMMIT,
+ commit_checksum, &commit_variant,
+ error))
+ {
+ g_prefix_error (error, "Failed to read commit: ");
+ goto out;
+ }
+
+ /* Load the metadata */
+ if (!ostree_repo_read_commit_detached_metadata (self,
+ commit_checksum,
+ &metadata,
+ cancellable,
+ error))
+ {
+ g_prefix_error (error, "Failed to read detached metadata: ");
+ goto out;
+ }
+
+ signed_data = g_variant_get_data_as_bytes (commit_variant);
+
+ /* XXX This is a hackish way to indicate to use ALL remote-specific
+ * keyrings in the signature verification. We want this when
+ * verifying a signed commit that's already been pulled. */
+ if (remote_name == NULL)
+ remote_name = OSTREE_ALL_REMOTES;
+
+ result = _ostree_repo_gpg_verify_with_metadata (self,
+ signed_data,
+ metadata,
+ remote_name,
+ keyringdir,
+ extra_keyring,
+ cancellable,
+ error);
+
+out:
+ return result;
+}
+
/**
* ostree_repo_verify_commit:
* @self: Repository
@@ -3828,42 +3915,13 @@ ostree_repo_verify_commit_ext (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
- OstreeGpgVerifyResult *result = NULL;
- g_autoptr(GVariant) commit_variant = NULL;
- g_autoptr(GFile) keyringdir_ref = NULL;
- g_autoptr(GVariant) metadata = NULL;
- g_autoptr(GBytes) signed_data = NULL;
- g_autofree char *commit_filename = NULL;
-
- /* Create a temporary file for the commit */
- if (!ostree_repo_load_variant (self, OSTREE_OBJECT_TYPE_COMMIT,
- commit_checksum, &commit_variant,
- error))
- {
- g_prefix_error (error, "Failed to read commit: ");
- goto out;
- }
-
- /* Load the metadata */
- if (!ostree_repo_read_commit_detached_metadata (self,
- commit_checksum,
- &metadata,
- cancellable,
- error))
- {
- g_prefix_error (error, "Failed to read detached metadata: ");
- goto out;
- }
-
- signed_data = g_variant_get_data_as_bytes (commit_variant);
-
- result = _ostree_repo_gpg_verify_with_metadata (self,
- signed_data, metadata,
- keyringdir, extra_keyring,
- cancellable, error);
-
-out:
- return result;
+ return _ostree_repo_verify_commit_internal (self,
+ commit_checksum,
+ NULL,
+ keyringdir,
+ extra_keyring,
+ cancellable,
+ error);
}
/**
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
