From a319c4eeae62511d1cb58986742491d3e224bf20 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 9 Jun 2010 17:19:40 +0200 Subject: * apt-pkg/indexcopy.cc: - move the gpg codecopy to a new method and use it also in methods/gpgv.cc --- apt-pkg/indexcopy.cc | 109 +++++++++++++++++++++++++++++++++------------------ 1 file changed, 70 insertions(+), 39 deletions(-) (limited to 'apt-pkg/indexcopy.cc') diff --git a/apt-pkg/indexcopy.cc b/apt-pkg/indexcopy.cc index 53eb11172..47eaefc5c 100644 --- a/apt-pkg/indexcopy.cc +++ b/apt-pkg/indexcopy.cc @@ -590,66 +590,39 @@ bool SigVerify::CopyAndVerify(string CDROM,string Name,vector &SigList, indexRecords *MetaIndex = new indexRecords; string prefix = *I; + string const releasegpg = *I+"Release.gpg"; + string const release = *I+"Release"; + // a Release.gpg without a Release should never happen - if(!FileExists(*I+"Release")) + if(FileExists(release) == false) { delete MetaIndex; continue; } - - // verify the gpg signature of "Release" - // gpg --verify "*I+Release.gpg", "*I+Release" - const char *Args[400]; - unsigned int i = 0; - - string gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv"); - string pubringpath = _config->Find("Apt::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg"); - string releasegpg = *I+"Release.gpg"; - string release = *I+"Release"; - - Args[i++] = gpgvpath.c_str(); - Args[i++] = "--keyring"; - Args[i++] = pubringpath.c_str(); - Configuration::Item const *Opts; - Opts = _config->Tree("Acquire::gpgv::Options"); - if (Opts != 0) - { - Opts = Opts->Child; - for (; Opts != 0; Opts = Opts->Next) - { - if (Opts->Value.empty() == true) - continue; - Args[i++] = Opts->Value.c_str(); - if(i >= 390) { - _error->Error("Argument list from Acquire::gpgv::Options too long. Exiting."); - return false; - } - } - } - - Args[i++] = releasegpg.c_str(); - Args[i++] = release.c_str(); - Args[i++] = NULL; - pid_t pid = ExecFork(); if(pid < 0) { _error->Error("Fork failed"); return false; } if(pid == 0) { - execvp(gpgvpath.c_str(), (char**)Args); + string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv"); + std::vector Args = GetGPGVCommandLine(); + Args.push_back(releasegpg.c_str()); + Args.push_back(release.c_str()); + Args.push_back(NULL); + execvp(gpgvpath.c_str(), (char**) &Args[0]); } if(!ExecWait(pid, "gpgv")) { _error->Warning("Signature verification failed for: %s", - string(*I+"Release.gpg").c_str()); + releasegpg.c_str()); // something went wrong, don't copy the Release.gpg // FIXME: delete any existing gpg file? continue; } // Open the Release file and add it to the MetaIndex - if(!MetaIndex->Load(*I+"Release")) + if(!MetaIndex->Load(release)) { _error->Error("%s",MetaIndex->ErrorText.c_str()); return false; @@ -679,6 +652,64 @@ bool SigVerify::CopyAndVerify(string CDROM,string Name,vector &SigList, return true; } /*}}}*/ +// SigVerify::GetGPGVCommandLine - returns the command needed for verify/*{{{*/ +// --------------------------------------------------------------------- +/* Generating the commandline for calling gpgv is somehow complicated as + we need to add multiple keyrings and user supplied options. Also, as + the cdrom code currently can not use the gpgv method we have two places + these need to be done - so the place for this method is wrong but better + than code duplication… */ +std::vector SigVerify::GetGPGVCommandLine() +{ + string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv"); + // FIXME: remove support for deprecated APT::GPGV setting + string const trustedFile = _config->FindFile("Dir::Etc::Trusted", + _config->Find("APT::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg").c_str()); + string const trustedPath = _config->FindDir("Dir::Etc::TrustedParts", "/etc/apt/trusted.gpg.d"); + + if (_config->FindB("Debug::Acquire::gpgv", false) == true) + { + std::clog << "gpgv path: " << gpgvpath << std::endl; + std::clog << "Keyring file: " << trustedFile << std::endl; + std::clog << "Keyring path: " << trustedPath << std::endl; + } + + std::vector keyrings = GetListOfFilesInDir(trustedPath, "gpg", false); + if (FileExists(trustedFile) == true) + keyrings.push_back(trustedFile); + + std::vector Args; + Args.reserve(30); + + if (keyrings.empty() == true) + return Args; + + Args.push_back(gpgvpath.c_str()); + Args.push_back("--ignore-time-conflict"); + + for (vector::const_iterator K = keyrings.begin(); + K != keyrings.end(); ++K) + { + Args.push_back("--keyring"); + Args.push_back(K->c_str()); + } + + Configuration::Item const *Opts; + Opts = _config->Tree("Acquire::gpgv::Options"); + if (Opts != 0) + { + Opts = Opts->Child; + for (; Opts != 0; Opts = Opts->Next) + { + if (Opts->Value.empty() == true) + continue; + Args.push_back(Opts->Value.c_str()); + } + } + + return Args; +} + /*}}}*/ bool TranslationsCopy::CopyTranslations(string CDROM,string Name, /*{{{*/ vector &List, pkgCdromStatus *log) { -- cgit v1.2.3-70-g09d2 From cf440facb498fa0ec70148723b13d6d019758c0e Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 9 Jun 2010 23:20:26 +0200 Subject: enhance the split out of the gpgv commandline mangling by splitting out the call completely --- apt-pkg/indexcopy.cc | 62 +++++++++++++++++++++++++++++++++++++++++----------- apt-pkg/indexcopy.h | 10 +++++++-- methods/gpgv.cc | 51 +++++++++--------------------------------- 3 files changed, 67 insertions(+), 56 deletions(-) (limited to 'apt-pkg/indexcopy.cc') diff --git a/apt-pkg/indexcopy.cc b/apt-pkg/indexcopy.cc index 47eaefc5c..621c18716 100644 --- a/apt-pkg/indexcopy.cc +++ b/apt-pkg/indexcopy.cc @@ -27,6 +27,8 @@ #include #include #include +#include +#include #include /*}}}*/ @@ -605,14 +607,9 @@ bool SigVerify::CopyAndVerify(string CDROM,string Name,vector &SigList, _error->Error("Fork failed"); return false; } - if(pid == 0) { - string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv"); - std::vector Args = GetGPGVCommandLine(); - Args.push_back(releasegpg.c_str()); - Args.push_back(release.c_str()); - Args.push_back(NULL); - execvp(gpgvpath.c_str(), (char**) &Args[0]); - } + if(pid == 0) + RunGPGV(release, releasegpg); + if(!ExecWait(pid, "gpgv")) { _error->Warning("Signature verification failed for: %s", releasegpg.c_str()); @@ -652,14 +649,15 @@ bool SigVerify::CopyAndVerify(string CDROM,string Name,vector &SigList, return true; } /*}}}*/ -// SigVerify::GetGPGVCommandLine - returns the command needed for verify/*{{{*/ +// SigVerify::RunGPGV - returns the command needed for verify /*{{{*/ // --------------------------------------------------------------------- /* Generating the commandline for calling gpgv is somehow complicated as we need to add multiple keyrings and user supplied options. Also, as the cdrom code currently can not use the gpgv method we have two places these need to be done - so the place for this method is wrong but better than code duplication… */ -std::vector SigVerify::GetGPGVCommandLine() +bool SigVerify::RunGPGV(std::string const &File, std::string const &FileGPG, + int const &statusfd, int fd[2]) { string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv"); // FIXME: remove support for deprecated APT::GPGV setting @@ -667,7 +665,9 @@ std::vector SigVerify::GetGPGVCommandLine() _config->Find("APT::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg").c_str()); string const trustedPath = _config->FindDir("Dir::Etc::TrustedParts", "/etc/apt/trusted.gpg.d"); - if (_config->FindB("Debug::Acquire::gpgv", false) == true) + bool const Debug = _config->FindB("Debug::Acquire::gpgv", false); + + if (Debug == true) { std::clog << "gpgv path: " << gpgvpath << std::endl; std::clog << "Keyring file: " << trustedFile << std::endl; @@ -682,11 +682,19 @@ std::vector SigVerify::GetGPGVCommandLine() Args.reserve(30); if (keyrings.empty() == true) - return Args; + return false; Args.push_back(gpgvpath.c_str()); Args.push_back("--ignore-time-conflict"); + if (statusfd != -1) + { + Args.push_back("--status-fd"); + char fd[10]; + snprintf(fd, sizeof(fd), "%i", statusfd); + Args.push_back(fd); + } + for (vector::const_iterator K = keyrings.begin(); K != keyrings.end(); ++K) { @@ -707,7 +715,35 @@ std::vector SigVerify::GetGPGVCommandLine() } } - return Args; + Args.push_back(FileGPG.c_str()); + Args.push_back(File.c_str()); + Args.push_back(NULL); + + if (Debug == true) + { + std::clog << "Preparing to exec: " << gpgvpath; + for (std::vector::const_iterator a = Args.begin(); *a != NULL; ++a) + std::clog << " " << *a; + std::clog << std::endl; + } + + if (statusfd != -1) + { + int const nullfd = open("/dev/null", O_RDONLY); + close(fd[0]); + // Redirect output to /dev/null; we read from the status fd + dup2(nullfd, STDOUT_FILENO); + dup2(nullfd, STDERR_FILENO); + // Redirect the pipe to the status fd (3) + dup2(fd[1], statusfd); + + putenv((char *)"LANG="); + putenv((char *)"LC_ALL="); + putenv((char *)"LC_MESSAGES="); + } + + execvp(gpgvpath.c_str(), (char **) &Args[0]); + return true; } /*}}}*/ bool TranslationsCopy::CopyTranslations(string CDROM,string Name, /*{{{*/ diff --git a/apt-pkg/indexcopy.h b/apt-pkg/indexcopy.h index ee6557a3d..6fcd3b8ce 100644 --- a/apt-pkg/indexcopy.h +++ b/apt-pkg/indexcopy.h @@ -90,8 +90,14 @@ class SigVerify /*{{{*/ bool CopyAndVerify(string CDROM,string Name,vector &SigList, vector PkgList,vector SrcList); - /** \brief generates the command to verify a file with gpgv */ - static std::vector GetGPGVCommandLine(); + /** \brief generates and run the command to verify a file with gpgv */ + static bool RunGPGV(std::string const &File, std::string const &FileOut, + int const &statusfd, int fd[2]); + inline static bool RunGPGV(std::string const &File, std::string const &FileOut, + int const &statusfd = -1) { + int fd[2]; + return RunGPGV(File, FileOut, statusfd, fd); + }; }; /*}}}*/ diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 5f5f23f7d..018e4f622 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -55,61 +55,29 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, if (Debug == true) std::clog << "inside VerifyGetSigners" << std::endl; - pid_t pid; int fd[2]; - FILE *pipein; - int status; - - string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv"); - std::vector Args = SigVerify::GetGPGVCommandLine(); - if (Args.empty() == true) - { - // TRANSLATOR: %s is the trusted keyring parts directory - ioprintf(ret, _("No keyring installed in %s."), - _config->FindDir("Dir::Etc::TrustedParts", "/etc/apt/trusted.gpg.d").c_str()); - return ret.str(); - } if (pipe(fd) < 0) return "Couldn't create pipe"; - pid = fork(); + pid_t pid = fork(); if (pid < 0) return string("Couldn't spawn new process") + strerror(errno); else if (pid == 0) { - Args.push_back("--status-fd"); - Args.push_back("3"); - Args.push_back(file); - Args.push_back(outfile); - Args.push_back(NULL); - - if (Debug == true) + if (SigVerify::RunGPGV(outfile, file, 3, fd) == false) { - std::clog << "Preparing to exec: " << gpgvpath; - for(std::vector::const_iterator a = Args.begin();*a != NULL; ++a) - std::clog << " " << *a; - std::clog << std::endl; + // TRANSLATOR: %s is the trusted keyring parts directory + ioprintf(ret, _("No keyring installed in %s."), + _config->FindDir("Dir::Etc::TrustedParts", "/etc/apt/trusted.gpg.d").c_str()); + return ret.str(); } - int const nullfd = open("/dev/null", O_RDONLY); - close(fd[0]); - // Redirect output to /dev/null; we read from the status fd - dup2(nullfd, STDOUT_FILENO); - dup2(nullfd, STDERR_FILENO); - // Redirect the pipe to the status fd (3) - dup2(fd[1], 3); - - putenv((char *)"LANG="); - putenv((char *)"LC_ALL="); - putenv((char *)"LC_MESSAGES="); - execvp(gpgvpath.c_str(), (char **) &Args[0]); - exit(111); } close(fd[1]); - pipein = fdopen(fd[0], "r"); - + FILE *pipein = fdopen(fd[0], "r"); + // Loop over the output of gpgv, and check the signatures. size_t buffersize = 64; char *buffer = (char *) malloc(buffersize); @@ -182,6 +150,7 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, } fclose(pipein); + int status; waitpid(pid, &status, 0); if (Debug == true) { @@ -200,7 +169,7 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, } else if (WEXITSTATUS(status) == 111) { - ioprintf(ret, _("Could not execute '%s' to verify signature (is gpgv installed?)"), gpgvpath.c_str()); + ioprintf(ret, _("Could not execute 'gpgv' to verify signature (is gpgv installed?)")); return ret.str(); } else -- cgit v1.2.3-70-g09d2