summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libalpm/alpm.h9
-rw-r--r--lib/libalpm/db.c18
-rw-r--r--lib/libalpm/db.h1
-rw-r--r--lib/libalpm/signing.c2
-rw-r--r--lib/libalpm/sync.c19
-rw-r--r--src/pacman/pacman.c18
-rwxr-xr-xtest/pacman/pmdb.py6
-rw-r--r--test/pacman/tests/sign001.py2
-rw-r--r--test/pacman/tests/sign002.py2
-rwxr-xr-xtest/pacman/util.py3
10 files changed, 72 insertions, 8 deletions
diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h
index 150730ce..276d49cb 100644
--- a/lib/libalpm/alpm.h
+++ b/lib/libalpm/alpm.h
@@ -251,6 +251,15 @@ alpm_list_t *alpm_pkg_unused_deltas(pmpkg_t *pkg);
int alpm_pkg_check_pgp_signature(pmpkg_t *pkg);
+/* GPG signature verification option */
+typedef enum _pgp_verify_t {
+ PM_PGP_VERIFY_ALWAYS,
+ PM_PGP_VERIFY_OPTIONAL,
+ PM_PGP_VERIFY_NEVER
+} pgp_verify_t;
+
+int alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify);
+
/*
* Deltas
*/
diff --git a/lib/libalpm/db.c b/lib/libalpm/db.c
index cb575c8a..f61ea918 100644
--- a/lib/libalpm/db.c
+++ b/lib/libalpm/db.c
@@ -181,6 +181,24 @@ int SYMEXPORT alpm_db_setserver(pmdb_t *db, const char *url)
return 0;
}
+/** Set the verify gpg signature option for a database.
+ * @param db database pointer
+ * @param verify enum pgp_verify_t
+ * @return 0 on success, -1 on error (pm_errno is set accordingly)
+ */
+int SYMEXPORT alpm_db_set_pgp_verify(pmdb_t *db, pgp_verify_t verify)
+{
+ ALPM_LOG_FUNC;
+
+ /* Sanity checks */
+ ASSERT(db != NULL, RET_ERR(PM_ERR_DB_NULL, -1));
+
+ db->pgp_verify = verify;
+ _alpm_log(PM_LOG_DEBUG, "adding VerifySig option to database '%s': %d\n",
+ db->treename, verify);
+
+ return(0);
+}
/** Get the name of a package database
* @param db pointer to the package database
diff --git a/lib/libalpm/db.h b/lib/libalpm/db.h
index 75776d71..dfd9f933 100644
--- a/lib/libalpm/db.h
+++ b/lib/libalpm/db.h
@@ -60,6 +60,7 @@ struct __pmdb_t {
pmpkghash_t *pkgcache;
alpm_list_t *grpcache;
alpm_list_t *servers;
+ pgp_verify_t pgp_verify;
struct db_operations *ops;
};
diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
index 27855798..08e9b297 100644
--- a/lib/libalpm/signing.c
+++ b/lib/libalpm/signing.c
@@ -168,6 +168,8 @@ int _alpm_gpgme_checksig(const char *pkgpath, const pmpgpsig_t *sig)
if(gpgsig->summary & GPGME_SIGSUM_VALID) {
/* good signature, continue */
+ _alpm_log(PM_LOG_DEBUG, _("Package %s has a valid signature.\n"),
+ pkgpath);
} else if(gpgsig->summary & GPGME_SIGSUM_GREEN) {
/* 'green' signature, not sure what to do here */
_alpm_log(PM_LOG_WARNING, _("Package %s has a green signature.\n"),
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
index 5e7cf293..5428e40b 100644
--- a/lib/libalpm/sync.c
+++ b/lib/libalpm/sync.c
@@ -847,11 +847,17 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data)
continue;
}
/* check PGP signature next */
- if(_alpm_gpgme_checksig(filepath, pgpsig) != 0) {
- errors++;
- *data = alpm_list_add(*data, strdup(filename));
- FREE(filepath);
- continue;
+ pmdb_t *sdb = alpm_pkg_get_db(spkg);
+
+ if(sdb->pgp_verify != PM_PGP_VERIFY_NEVER) {
+ int ret = _alpm_gpgme_checksig(filepath, pgpsig);
+ if((sdb->pgp_verify == PM_PGP_VERIFY_ALWAYS && ret != 0) ||
+ (sdb->pgp_verify == PM_PGP_VERIFY_OPTIONAL && ret == 1)) {
+ errors++;
+ *data = alpm_list_add(*data, strdup(filename));
+ FREE(filepath);
+ continue;
+ }
}
/* load the package file and replace pkgcache entry with it in the target list */
/* TODO: alpm_pkg_get_db() will not work on this target anymore */
@@ -869,9 +875,12 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t *db_local, alpm_list_t **data)
i->data = pkgfile;
_alpm_pkg_free_trans(spkg); /* spkg has been removed from the target list */
}
+
PROGRESS(trans, PM_TRANS_PROGRESS_INTEGRITY_START, "", 100,
numtargs, current);
EVENT(trans, PM_TRANS_EVT_INTEGRITY_DONE, NULL, NULL);
+
+
if(errors) {
pm_errno = PM_ERR_PKG_INVALID;
goto error;
diff --git a/src/pacman/pacman.c b/src/pacman/pacman.c
index 706e97be..0487ee87 100644
--- a/src/pacman/pacman.c
+++ b/src/pacman/pacman.c
@@ -1241,6 +1241,24 @@ static int _parseconfig(const char *file, const char *givensection,
ret = 1;
goto cleanup;
}
+ } else if(strcmp(key, "VerifySig") == 0) {
+ if (strcmp(value, "Always") == 0) {
+ ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_ALWAYS);
+ } else if (strcmp(value, "Optional") == 0) {
+ ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_OPTIONAL);
+ } else if (strcmp(value, "Never") == 0) {
+ ret = alpm_db_set_pgp_verify(db,PM_PGP_VERIFY_NEVER);
+ } else {
+ pm_printf(PM_LOG_ERROR, _("invalid value for 'VerifySig' : '%s'\n"), value);
+ ret = 1;
+ goto cleanup;
+ }
+ if (ret != 0) {
+ pm_printf(PM_LOG_ERROR, _("could not add pgp verify option to database '%s': %s (%s)\n"),
+ alpm_db_get_name(db), value, alpm_strerrorlast());
+ goto cleanup;
+ }
+ pm_printf(PM_LOG_DEBUG, "config: VerifySig for %s: %s\n",alpm_db_get_name(db), value);
} else {
pm_printf(PM_LOG_WARNING,
_("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"),
diff --git a/test/pacman/pmdb.py b/test/pacman/pmdb.py
index fefb135a..1af24ae9 100755
--- a/test/pacman/pmdb.py
+++ b/test/pacman/pmdb.py
@@ -89,6 +89,12 @@ class pmdb(object):
def __str__(self):
return "%s" % self.treename
+ def getverify(self):
+ for value in "Always","Never","Optional":
+ if value in self.treename:
+ return value
+ return "Never"
+
def getpkg(self, name):
"""
"""
diff --git a/test/pacman/tests/sign001.py b/test/pacman/tests/sign001.py
index 447cea1e..0ae417b7 100644
--- a/test/pacman/tests/sign001.py
+++ b/test/pacman/tests/sign001.py
@@ -2,7 +2,7 @@ self.description = "Add a signature to a package DB"
sp = pmpkg("pkg1")
sp.pgpsig = "asdfasdfsdfasdfsdafasdfsdfasd"
-self.addpkg2db("sync", sp)
+self.addpkg2db("sync+Always", sp)
self.args = "-Ss"
diff --git a/test/pacman/tests/sign002.py b/test/pacman/tests/sign002.py
index 7b098c0d..b55f331e 100644
--- a/test/pacman/tests/sign002.py
+++ b/test/pacman/tests/sign002.py
@@ -2,7 +2,7 @@ self.description = "Verify a signature in a sync DB (failure)"
sp = pmpkg("pkg1")
sp.pgpsig = "iEYEABECAAYFAkhMOggACgkQXC5GoPU6du2WVQCffVxF8GKXJIY4juJBIw/ljLrQxygAnj2QlvsUd7MdFekLX18+Ov/xzgZ1"
-self.addpkg2db("sync", sp)
+self.addpkg2db("sync+Always", sp)
self.args = "-S %s" % sp.name
diff --git a/test/pacman/util.py b/test/pacman/util.py
index b771a345..47255923 100755
--- a/test/pacman/util.py
+++ b/test/pacman/util.py
@@ -132,8 +132,9 @@ def mkcfgfile(filename, root, option, db):
if key != "local":
value = db[key]
data.append("[%s]\n" \
+ "VerifySig = %s\n" \
"Server = file://%s" \
- % (value.treename,
+ % (value.treename, value.getverify(), \
os.path.join(root, SYNCREPO, value.treename)))
for optkey, optval in value.option.iteritems():
data.extend(["%s = %s" % (optkey, j) for j in optval])