diff options
author | Michael Vogt <egon@debian-devbox> | 2011-07-13 19:02:10 +0200 |
---|---|---|
committer | Michael Vogt <egon@debian-devbox> | 2011-07-13 19:02:10 +0200 |
commit | 89c4c588b275d098af33f36eeddea6fd75068342 (patch) | |
tree | 1e8cf8d8ab9651618d76f40c4eae97501e427eb7 | |
parent | 15fb00074cb5757e4cdcd790fcf75f0134ae0fe4 (diff) |
fix from David Kalnischkies for the InRelease gpg verification
code (LP: #784473)
-rw-r--r-- | apt-pkg/indexcopy.cc | 21 | ||||
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | methods/gpgv.cc | 13 |
3 files changed, 35 insertions, 6 deletions
diff --git a/apt-pkg/indexcopy.cc b/apt-pkg/indexcopy.cc index 064fb007c..31c577705 100644 --- a/apt-pkg/indexcopy.cc +++ b/apt-pkg/indexcopy.cc @@ -664,6 +664,21 @@ bool SigVerify::CopyAndVerify(string CDROM,string Name,vector<string> &SigList, bool SigVerify::RunGPGV(std::string const &File, std::string const &FileGPG, int const &statusfd, int fd[2]) { + if (File == FileGPG) + { + #define SIGMSG "-----BEGIN PGP SIGNED MESSAGE-----\n" + char buffer[sizeof(SIGMSG)]; + FILE* gpg = fopen(File.c_str(), "r"); + if (gpg == NULL) + return _error->Errno("RunGPGV", _("Could not open file %s"), File.c_str()); + char const * const test = fgets(buffer, sizeof(buffer), gpg); + fclose(gpg); + if (test == NULL || strcmp(buffer, SIGMSG) != 0) + return _error->Error(_("File %s doesn't start with a clearsigned message"), File.c_str()); + #undef SIGMSG + } + + string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv"); // FIXME: remove support for deprecated APT::GPGV setting string const trustedFile = _config->Find("APT::GPGV::TrustedKeyring", _config->FindFile("Dir::Etc::Trusted")); @@ -688,7 +703,11 @@ bool SigVerify::RunGPGV(std::string const &File, std::string const &FileGPG, Args.reserve(30); if (keyrings.empty() == true) - return false; + { + // TRANSLATOR: %s is the trusted keyring parts directory + return _error->Error(_("No keyring installed in %s."), + _config->FindDir("Dir::Etc::TrustedParts").c_str()); + } Args.push_back(gpgvpath.c_str()); Args.push_back("--ignore-time-conflict"); diff --git a/debian/changelog b/debian/changelog index 87d25e78f..244bb83e0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apt (0.8.15.2) unstable; urgency=high + + * fix from David Kalnischkies for the InRelease gpg verification + code (LP: #784473) + + -- Michael Vogt <mvo@debian.org> Tue, 12 Jul 2011 11:54:47 +0200 + apt (0.8.15.1) unstable; urgency=low [ David Kalnischkies ] diff --git a/methods/gpgv.cc b/methods/gpgv.cc index efe1f73f7..960c06180 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -65,13 +65,16 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, return string("Couldn't spawn new process") + strerror(errno); else if (pid == 0) { - if (SigVerify::RunGPGV(outfile, file, 3, fd) == false) + _error->PushToStack(); + bool const success = SigVerify::RunGPGV(outfile, file, 3, fd); + if (success == false) { - // TRANSLATOR: %s is the trusted keyring parts directory - ioprintf(ret, _("No keyring installed in %s."), - _config->FindDir("Dir::Etc::TrustedParts").c_str()); - return ret.str(); + string errmsg; + _error->PopMessage(errmsg); + _error->RevertToStack(); + return errmsg; } + _error->RevertToStack(); exit(111); } close(fd[1]); |