-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xbps-install: add --verify-sig option. #384
base: master
Are you sure you want to change the base?
Conversation
Forcing signature verification for local packages can be useful for innumerous reasons, the simplest one being the possibility of adding a test suite for this part of the code without requiring a test setup running a server or similar. For this, it was necessary to add a new flag value to xbps_handle, and I took the opportunity to re-organize the code a bit, including always checking sha256 for all packages and reporting when remove(3) fails.
free(sigfile); | ||
xbps_set_cb_state(xhp, XBPS_STATE_VERIFY_FAIL, rv, pkgver, | ||
"%s: %s.", pkgver, errmsg); | ||
} | ||
goto out; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This goto is, and was, excessive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided to keep it so people didn't forget to add it back if it became necessary to add more stuff to do after the conditionals are done. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine, let it stay.
Checking sha256sum of packages that are going to be verified by signature is pointless, now read the whole file twice to generate the same checksum once for just checking the checksum and once for verifying the signature. |
I had it in my head that the signature checking happened with the checksum stored in repodata, for some reason. Would it be ok to add another parameter to |
There is already |
This function allows us to check the sha256 sum for a particular file, while at the same storing the calculated digest in the provided struct. This allows us to always check the sha256 sum for packages during installation, but also not have to scan the package twice when checking its signature. In order to simplify the code and necessary error checking, and because some functions take a length parameter for the binary hash, while others don't, introduce the xbps_sha256_digest struct, which guarantees we are always passing a binary digest to functions which require one and guarantees it has the necessary length to hold the digest, therefore providing some form of type and memory safety and avoiding the need to pass and propagate length parameters everywhere.
This pull request introduces 1 alert when merging 2e427b0 into 01180f9 - view on LGTM.com new alerts:
|
Useful to print a signature path into a string and returning a pointer to the start of the ".sig" suffix. Also checks if the whole format string actually fit into the destination. Replace the manual computation in download_binpkg with it.
verify_binpkg was using the package path instead of the signature path in xbps_verify_signature. Compute the signature path using the new xbps_file_sig_path, and as a bonus avoid new allocations.
This actually checks that the resulting string fit inside the buffer, so we avoid using a truncated path.
This pull request introduces 2 alerts when merging 1ac0716 into 01180f9 - view on LGTM.com new alerts:
|
Also add documentation to man page.
This pull request introduces 2 alerts when merging d5a7640 into 01180f9 - view on LGTM.com new alerts:
|
I added at least two I haven't addressed @Chocimier's comment on the goto, waiting for an answer to my response. Could add some tests for signing here already, to lay the groundwork for a potential move to a different signature scheme. Would appreciate some review. |
There is the other codepath in |
Forcing signature verification for local packages can be useful for
innumerous reasons, the simplest one being the possibility of adding a
test suite for this part of the code without requiring a test setup
running a server or similar.
For this, it was necessary to add a new flag value to xbps_handle, and I
took the opportunity to re-organize the code a bit, including always
checking sha256 for all packages and reporting when remove(3) fails.
Somewhat WIP, lacks man page docs. But it works :)