diff options
Diffstat (limited to 'apt-pkg')
| -rw-r--r-- | apt-pkg/acquire-item.cc | 8 | ||||
| -rw-r--r-- | apt-pkg/contrib/gpgv.cc | 20 | ||||
| -rw-r--r-- | apt-pkg/contrib/gpgv.h | 9 |
3 files changed, 33 insertions, 4 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 12524778e..69644883b 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1423,7 +1423,15 @@ string pkgAcqMetaBase::Custom600Headers() const void pkgAcqMetaBase::QueueForSignatureVerify(pkgAcqTransactionItem * const I, std::string const &File, std::string const &Signature) { AuthPass = true; +#ifdef SQV_EXECUTABLE + if (not _config->Find("APT::Key::GPGVCommand").empty() || not FileExists(SQV_EXECUTABLE)) + I->Desc.URI = "gpgv:" + pkgAcquire::URIEncode(Signature); + else { + I->Desc.URI = "sqv:" + pkgAcquire::URIEncode(Signature); + } +#else I->Desc.URI = "gpgv:" + pkgAcquire::URIEncode(Signature); +#endif I->DestFile = File; QueueURI(I->Desc); I->SetActiveSubprocess("gpgv"); diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc index 7b0a0d240..48d31a44c 100644 --- a/apt-pkg/contrib/gpgv.cc +++ b/apt-pkg/contrib/gpgv.cc @@ -169,7 +169,7 @@ static bool CheckGPGV(std::unordered_map<std::string, std::forward_list<std::str /// Verifies a file containing a detached signature has the right format /// @return 0 if succesful, or an exit code for ExecGPGV otherwise. -static int VerifyDetachedSignatureFile(std::string FileGPG, int fd[2], int statusfd = -1) +static int VerifyDetachedSignatureFile(std::string const &FileGPG, int fd[2], int statusfd = -1) { auto detached = make_unique_FILE(FileGPG, "r"); if (detached.get() == nullptr) @@ -211,10 +211,17 @@ static int VerifyDetachedSignatureFile(std::string FileGPG, int fd[2], int statu } } } - if (found_signatures == 0 && statusfd != -1) + if (found_signatures == 0) { - auto const errtag = "[GNUPG:] NODATA\n"; - FileFd::Write(fd[1], errtag, strlen(errtag)); + if (statusfd != -1 && fd) + { + auto const errtag = "[GNUPG:] NODATA\n"; + FileFd::Write(fd[1], errtag, strlen(errtag)); + } + else + { + _error->Error("Signed file isn't valid, got 'NODATA' (does the network require authentication?)"); + } // guess if this is a binary signature, we never officially supported them, // but silently accepted them via passing them unchecked to gpgv if (found_badcontent) @@ -247,6 +254,11 @@ static int VerifyDetachedSignatureFile(std::string FileGPG, int fd[2], int statu return 0; } +bool VerifyDetachedSignatureFile(std::string const &DetachedSignatureFileName) +{ + return VerifyDetachedSignatureFile(DetachedSignatureFileName, nullptr, -1) == 0; +} + std::pair<std::string, std::forward_list<std::string>> APT::Internal::FindGPGV(bool Debug) { static thread_local std::unordered_map<std::string, std::forward_list<std::string>> checkedCommands; diff --git a/apt-pkg/contrib/gpgv.h b/apt-pkg/contrib/gpgv.h index d4520f3a2..0b84f6bb7 100644 --- a/apt-pkg/contrib/gpgv.h +++ b/apt-pkg/contrib/gpgv.h @@ -96,5 +96,14 @@ APT_PUBLIC bool SplitClearSignedFile(std::string const &InFile, FileFd * const C */ APT_PUBLIC bool OpenMaybeClearSignedFile(std::string const &ClearSignedFileName, FileFd &MessageFile); +/** \brief verifiy a detached signature file for correctness. + * + * We want to expect unavoided content. This may set an error when returning false + * but it might not necessarily do so (in case of empty signature file). + * + * @return true if the detached signature files contains ASCII-armored signatures, otherwise false + */ +APT_PUBLIC bool VerifyDetachedSignatureFile(std::string const &DetachedSignatureFileName); + APT_PUBLIC bool IsAssertedPubKeyAlgo(std::string const &pkstr, std::string const &option); #endif |
