diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2015-06-24 19:31:22 +0200 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2015-08-10 17:25:26 +0200 |
| commit | b0d408547734100bf86781615f546487ecf390d9 (patch) | |
| tree | 8e88e2394ce15a4ac5a070b59a0cf4b74d748859 /apt-pkg/acquire-item.cc | |
| parent | 0741daeb7ab870b4dd62a93fa12a1cf6330f9a72 (diff) | |
implement Signed-By option for sources.list
Limits which key(s) can be used to sign a repository. Not immensely useful
from a security perspective all by itself, but if the user has
additional measures in place to confine a repository (like pinning) an
attacker who gets the key for such a repository is limited to its
potential and can't use the key to sign its attacks for an other (maybe
less limited) repository… (yes, this is as weak as it sounds, but having
the capability might come in handy for implementing other stuff later).
Diffstat (limited to 'apt-pkg/acquire-item.cc')
| -rw-r--r-- | apt-pkg/acquire-item.cc | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index a30a5d154..01a679fe0 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -808,7 +808,6 @@ string pkgAcqMetaBase::Custom600Headers() const Header += MaximumSize; string const FinalFile = GetFinalFilename(); - struct stat Buf; if (stat(FinalFile.c_str(),&Buf) == 0) Header += "\nLast-Modified: " + TimeRFC1123(Buf.st_mtime); @@ -1132,6 +1131,10 @@ string pkgAcqMetaClearSig::Custom600Headers() const { string Header = pkgAcqMetaBase::Custom600Headers(); Header += "\nFail-Ignore: true"; + std::string const key = TransactionManager->MetaIndexParser->GetSignedBy(); + if (key.empty() == false) + Header += "\nSigned-By: " + key; + return Header; } /*}}}*/ @@ -1374,6 +1377,16 @@ pkgAcqMetaSig::~pkgAcqMetaSig() /*{{{*/ { } /*}}}*/ +// pkgAcqMetaSig::Custom600Headers - Insert custom request headers /*{{{*/ +std::string pkgAcqMetaSig::Custom600Headers() const +{ + std::string Header = pkgAcqTransactionItem::Custom600Headers(); + std::string const key = TransactionManager->MetaIndexParser->GetSignedBy(); + if (key.empty() == false) + Header += "\nSigned-By: " + key; + return Header; +} + /*}}}*/ // AcqMetaSig::Done - The signature was downloaded/verified /*{{{*/ void pkgAcqMetaSig::Done(string const &Message, HashStringList const &Hashes, pkgAcquire::MethodConfig const * const Cfg) |