summaryrefslogtreecommitdiff
path: root/lib/libalpm/signing.c
AgeCommit message (Collapse)Author
2011-08-15Only check necessary signatures and checksumsDan McGee
The precedence goes as follows: signature > sha256sum > md5sum Add some logic and helper methods to check what we have available when loading a package, and then only check what is necessary to verify the package. This should speed up sync database verifies as we no longer will be doing both a checksum and a signature validation. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15decode_signature: guess signature data length for efficiencyDan McGee
We may end up allocating 1 or 2 extra bytes this way, but it is worth it to simplify the method and not have to call base64_decode() a second time. Use the hueristic that base64 encoding produces 3 bytes of decoded data for every 4 bytes of encoded data. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-15Update base64 PolarSSL codeDan McGee
Also adjust our code using it for the size_t adjustments made by upstream. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-28Revamp signing checksDan McGee
This ensures we are actually making correct use of the information gpgme is returning to us. Marginal being allowed was obvious before, but Unknown should deal with trust level, and not the presence or lack thereof of a public key to validate the signature with. Return status and validity information in two separate values so check methods and the frontend can use them independently. For now, we treat expired keys as valid, while expired signatures are invalid. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18replace access() calls for debug info where applicableFlorian Pritz
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18signing.c: check if needed files are readableFlorian Pritz
If we can't read the keyring, gpgme will output confusing debug information and fail to verify the signature, so we should log some debug information. Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-18Fix compilation without gpgmeAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05Allow frontend access to signature verification informationDan McGee
Show output in -Qip for each package signature, which includes the UID string from the key ("Joe User <joe@example.com>") and the validity of said key. Example output: Signatures : Valid signature from "Dan McGee <dpmcgee@gmail.com>" Unknown signature from "<Key Unknown>" Invalid signature from "Dan McGee <dpmcgee@gmail.com>" Also add a backend alpm_sigresult_cleanup() function since memory allocation took place on this object, and we need some way of freeing it. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05Correctly check the GPG error codesDan McGee
The error code is in fact a bitmask value of an error code and an error source, so use the proper function to get only the relevant bits. For the no error case, this shouldn't ever matter, but it bit me when I was trying to compare the error code to other values and wondered why it wasn't working, so set a good example. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-05signing: move to new signing verification and return schemeDan McGee
This gives us more granularity than the former Never/Optional/Always trifecta. The frontend still uses these values temporarily but that will be changed in a future patch. * Use 'siglevel' consistenly in method names, 'level' as variable name * The level becomes an enum bitmask value for flexibility * Signature check methods now return a array of status codes rather than a simple integer success/failure value. This allows callers to determine whether things such as an unknown signature are valid. * Specific signature error codes mostly disappear in favor of the above returned status code; pm_errno is now set only to PKG_INVALID_SIG or DB_INVALID_SIG as appropriate. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-07-02Prefix _alpm_errno_t members with ALPMAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-07-02Prefix alpm_loglevel_t members with ALPMAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-06-30signing: check validity of all available signaturesDan McGee
Change the check into a loop over all signatures present and returned by GPGME. Also modify the return values and checks slightly now that I know a little bit more about what type of values are returned. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-30Make alpm_db_get_sigverify_level() publicDan McGee
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-28Rename pmpkg_t to alpm_pkg_tAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-06-28Rename pmdb_t to alpm_db_tAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-06-28Rename pmhandle_t to alpm_handle_tAllan McRae
Signed-off-by: Allan McRae <allan@archlinux.org>
2011-06-15API: change 'signaturedir' to 'gpgdir'Dan McGee
This is more in line with reality and what we have our makepkg, etc. options named anyway. Original-patch-by: Kerrick Staley <mail@kerrickstaley.com> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-14Rename and rework signing helper methodsDan McGee
* Don't name static methods with a gpgme_ prefix to avoid confusion with methods provided by the library. These are static and local to our file so just give them sane non-prefixed names. * Rework sigsum_test_bit() to not require assignment. * Don't balk if there is more than one signature available (for now, only check the first). * Fix error codes in publicly visible methods to return -1, not 0, if pkg or db are not provided. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-14Ensure handle is valid and pm_errno is reset when calling into APIDan McGee
We didn't do due diligence before and ensure prior pm_errno values weren't influencing what happened in further ALPM calls. I observed one case of early setup code setting pm_errno to PM_ERR_WRONG_ARGS and that flag persisting the entire time we were calling library code. Add a new CHECK_HANDLE() macro that does two things: 1) ensures the handle variable passed to it is non-NULL and 2) clears any existing pm_errno flag set on the handle. This macro can replace many places we used the ASSERT(handle != NULL, ...) pattern before. Several other other places only need a simple 'set to zero' of the pm_errno field. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-13Switch all logging to use handle directlyDan McGee
This is the last user of our global handle object. Once again the diff is large but the functional changes are not. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-13Move pm_errno onto the handleDan McGee
This involves some serious changes and a very messy diff, unfortunately. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-09Require handle argument to all alpm_option_(get|set)_*() methodsDan McGee
This requires a lot of line changes, but not many functional changes as more often than not our handle variable is already available in some fashion. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-06-03Remove ALPM_LOG_FUNC macroDan McGee
The usefulness of this is rather limited due to it not being compiled into production builds. When you do choose to see the output, it is often overwhelming and not helpful. The best bet is to use a debugger and/or well-placed fprintf() statements. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-05-04Fix incorrect memory allocation assignmentDan McGee
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-05-04Reduce duplicate signing debug code and fix logic conditionDan McGee
We had a lot of similar looking code that we can collapse down into a function. This also fixes errors seen when turning on some gcc warnings and implicitly casting away the const-ness of the string. Free the list when we are done with it as well. Also, fix a logic error where we should be checking with &&, not ||. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-27Allow conditional compilation with GPGMEDan McGee
This makes it possible to omit usage of -lgpgme, just as we can do for -lcurl and -lcrypto. Thanks to Rémy Oudompheng for an initial stab at this. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-24signing: add more detail to unexpected signature count errorDan McGee
Do a quick loop and count of the returned data so we can show how many signatures were parsed and read. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-24Enhance GPGME debug outputDan McGee
Add some lookup functions for nice names for the various types used by the library, and remove some fields that are of little use to us in the debug output. This should make looking at key loading and verification a bit easier, especially in determining what makes up our good and bad criteria. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-24Rein in the complexity of the signature typeDan McGee
Given that we offer no transparency into the pmpgpsig_t type, we don't really need to expose it outside of the library, and at this point, we don't need it at all. Don't decode anything except when checking signatures. For packages/files not from a sync database, we now just read the signature file directly anyway. Also push the decoding logic down further into the check method so we don't need this hanging out in a less than ideal place. This will make it easier to conditionally compile things down the road. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-24signing: let GPGME handle loading signatures from filesDan McGee
Rather than go through all the hassle of doing this ourselves, just let GPGME handle the work by passing it a file handle. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-20Rename gpgsig struct fields for clarityDan McGee
Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-20Form the signature file location in one placeDan McGee
Since we do this for all cases anyway. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-20syntax: if/while statements should have no trailing spaceDan McGee
This is the standard, and we have had a few of these introduced lately that should not be here. Done with: find -name '*.c' | xargs sed -i -e 's#if (#if(#g' find -name '*.c' | xargs sed -i -e 's#while (#while(#g' Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-20Allow VerifySig to act as a default verification in [options]Dave Reisner
* add _alpm_db_get_sigverify_level * add alpm_option_{get,set}_default_sigverify And set the default verification level to OPTIONAL if not set otherwise. Signed-off-by: Dave Reisner <d@falconindy.com> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-04-20style cleanup: cast as (type *) not (type*)Dave Reisner
Signed-off-by: Dave Reisner <d@falconindy.com> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23Do not reuse old signatureAllan McRae
After updating a database, remove the old signature to prevent it being used in validation if the new signature fails to download. Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23Refactor signature loading code into common functionDan McGee
We can use this for both standalone package signatures as well as standalone database signatures. Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23Add functions for verifying database signatureAllan McRae
Add a pmpgpsig_t struct to the database entry struct and functions for the lazy loading of database signatures. Add a function for checking database signatures, reusing (and generalizing) the code currently used for checking package signatures. TODO: The code for reading in signature files from the filesystem is duplicated for local packages and database and needs refactoring. Signed-off-by: Allan McRae <allan@archlinux.org>
2011-03-23Report output from signature checking to debug logAllan McRae
Move the (possibly still temporary) output generated during signature checking into the --debug output. Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23Added gpg verification options per repo to the config file.Xavier Chantry
Once we do this, add support for VerifySig to pactest. We just check if the repo name contains Always, Never or Optional to determine the value of VerifySig. The default is Never. pacman uses Always by default but this is not suitable for pactest. Original-work-by: shankar <jatheendra@gmail.com> Signed-off-by: Xavier Chantry <shiningxc@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-03-23Integrate GPGME into libalpmDan McGee
Signed-off-by: Dan McGee <dan@archlinux.org>