importd: support SUSE style checksums (#5206)

In order to verify a pulled container or disk image, importd only supports
SHA256SUMS files with the detached signature in SHA256SUMS.gpg.
SUSE is using an inline signed file with the name of the image itself and the
suffix .sha256 instead.
This commit adds support for this type of signature files.

It is first attempted to pull the .sha256 file.
If this fails with error 404, the SHA256SUMS and SHA256SUMS.gpg files are
pulled and used for verification.

1 files changed, 27 insertions, 6 deletions

diff --git a/src/import/pull-common.c b/src/import/pull-common.c
index 62a9195cc4..4c745288f5 100644
--- a/src/import/pull-common.c
+++ b/src/import/pull-common.c
@@ -275,6 +275,7 @@ int pull_make_verification_jobs(
 
         _cleanup_(pull_job_unrefp) PullJob *checksum_job = NULL, *signature_job = NULL;
         int r;
+        const char *chksums = NULL;
 
         assert(ret_checksum_job);
         assert(ret_signature_job);
@@ -284,10 +285,16 @@ int pull_make_verification_jobs(
         assert(glue);
 
         if (verify != IMPORT_VERIFY_NO) {
-                _cleanup_free_ char *checksum_url = NULL;
+                _cleanup_free_ char *checksum_url = NULL, *fn = NULL;
 
-                /* Queue job for the SHA256SUMS file for the image */
-                r = import_url_change_last_component(url, "SHA256SUMS", &checksum_url);
+                /* Queue jobs for the checksum file for the image. */
+                r = import_url_last_component(url, &fn);
+                if (r < 0)
+                        return r;
+
+                chksums = strjoina(fn, ".sha256");
+
+                r = import_url_change_last_component(url, chksums, &checksum_url);
                 if (r < 0)
                         return r;
 
@@ -362,6 +369,15 @@ static int verify_one(PullJob *checksum_job, PullJob *job) {
                    line,
                    strlen(line));
 
+        if (!p) {
+                line = strjoina(job->checksum, "  ", fn, "\n");
+
+                p = memmem(checksum_job->payload,
+                        checksum_job->payload_size,
+                        line,
+                        strlen(line));
+        }
+
         if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) {
                 log_error("DOWNLOAD INVALID: Checksum of %s file did not checkout, file has been tampered with.", fn);
                 return -EBADMSG;
@@ -416,6 +432,9 @@ int pull_verify(PullJob *main_job,
         if (!signature_job)
                 return 0;
 
+        if (checksum_job->style == VERIFICATION_PER_FILE)
+                signature_job = checksum_job;
+
         assert(signature_job->state == PULL_JOB_DONE);
 
         if (!signature_job->payload || signature_job->payload_size <= 0) {
@@ -507,9 +526,11 @@ int pull_verify(PullJob *main_job,
                         cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH;
 
                 cmd[k++] = "--verify";
-                cmd[k++] = sig_file_path;
-                cmd[k++] = "-";
-                cmd[k++] = NULL;
+                if (checksum_job->style == VERIFICATION_PER_DIRECTORY) {
+                        cmd[k++] = sig_file_path;
+                        cmd[k++] = "-";
+                        cmd[k++] = NULL;
+                }
 
                 stdio_unset_cloexec();