importd: support SUSE style checksums (#5206)

In order to verify a pulled container or disk image, importd only supports
SHA256SUMS files with the detached signature in SHA256SUMS.gpg.
SUSE is using an inline signed file with the name of the image itself and the
suffix .sha256 instead.
This commit adds support for this type of signature files.

It is first attempted to pull the .sha256 file.
If this fails with error 404, the SHA256SUMS and SHA256SUMS.gpg files are
pulled and used for verification.

1 files changed, 50 insertions, 0 deletions

diff --git a/src/import/pull-job.c b/src/import/pull-job.c
index 70aaa5c291..8eabb09eed 100644
--- a/src/import/pull-job.c
+++ b/src/import/pull-job.c
@@ -29,6 +29,8 @@
 #include "string-util.h"
 #include "strv.h"
 #include "xattr-util.h"
+#include "pull-common.h"
+#include "import-util.h"
 
 PullJob* pull_job_unref(PullJob *j) {
         if (!j)
@@ -73,6 +75,33 @@ static void pull_job_finish(PullJob *j, int ret) {
                 j->on_finished(j);
 }
 
+static int pull_job_restart(PullJob *j) {
+        int r;
+        char *chksum_url = NULL;
+
+        r = import_url_change_last_component(j->url, "SHA256SUMS", &chksum_url);
+        if (r < 0)
+                return r;
+
+        free(j->url);
+        free(j->payload);
+        j->url = chksum_url;
+        j->state = PULL_JOB_INIT;
+        j->payload = NULL;
+        j->payload_size = 0;
+        j->payload_allocated = 0;
+        j->written_compressed = 0;
+        j->written_uncompressed = 0;
+        j->written_since_last_grow = 0;
+
+        r = pull_job_begin(j);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
+
 void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
         PullJob *j = NULL;
         CURLcode code;
@@ -102,6 +131,26 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
                 r = 0;
                 goto finish;
         } else if (status >= 300) {
+                if (status == 404 && j->style == VERIFICATION_PER_FILE) {
+
+                        /* retry pull job with SHA256SUMS file */
+                        r = pull_job_restart(j);
+                        if (r < 0)
+                                goto finish;
+
+                        code = curl_easy_getinfo(j->curl, CURLINFO_RESPONSE_CODE, &status);
+                        if (code != CURLE_OK) {
+                                log_error("Failed to retrieve response code: %s", curl_easy_strerror(code));
+                                r = -EIO;
+                                goto finish;
+                        }
+
+                        if (status == 0) {
+                                j->style = VERIFICATION_PER_DIRECTORY;
+                                return;
+                        }
+                }
+
                 log_error("HTTP request to %s failed with code %li.", j->url, status);
                 r = -EIO;
                 goto finish;
@@ -528,6 +577,7 @@ int pull_job_new(PullJob **ret, const char *url, CurlGlue *glue, void *userdata)
         j->content_length = (uint64_t) -1;
         j->start_usec = now(CLOCK_MONOTONIC);
         j->compressed_max = j->uncompressed_max = 64LLU * 1024LLU * 1024LLU * 1024LLU; /* 64GB safety limit */
+        j->style = VERIFICATION_STYLE_UNSET;
 
         j->url = strdup(url);
         if (!j->url)