]>
Commit | Line | Data |
---|---|---|
ea542140 DK |
1 | #include <config.h> |
2 | ||
472ff00e | 3 | #include <apt-pkg/configuration.h> |
453b82a3 | 4 | #include <apt-pkg/error.h> |
2f5b6151 | 5 | #include <apt-pkg/gpgv.h> |
453b82a3 | 6 | #include <apt-pkg/strutl.h> |
3927c6da | 7 | #include <apt-pkg/fileutl.h> |
23e64f6d | 8 | #include "aptmethod.h" |
b3d44315 | 9 | |
453b82a3 | 10 | #include <ctype.h> |
b3d44315 | 11 | #include <errno.h> |
453b82a3 DK |
12 | #include <stddef.h> |
13 | #include <stdio.h> | |
14 | #include <stdlib.h> | |
15 | #include <string.h> | |
b3d44315 | 16 | #include <sys/wait.h> |
453b82a3 | 17 | #include <unistd.h> |
4e03c47d | 18 | |
d9105124 | 19 | #include <array> |
4e03c47d | 20 | #include <algorithm> |
d9105124 JAK |
21 | #include <sstream> |
22 | #include <iterator> | |
b3d44315 | 23 | #include <iostream> |
453b82a3 | 24 | #include <string> |
f5a3d009 DK |
25 | #include <vector> |
26 | ||
ea542140 DK |
27 | #include <apti18n.h> |
28 | ||
8f3ba4e8 DK |
29 | using std::string; |
30 | using std::vector; | |
31 | ||
b3d44315 MV |
32 | #define GNUPGPREFIX "[GNUPG:]" |
33 | #define GNUPGBADSIG "[GNUPG:] BADSIG" | |
08b7761a | 34 | #define GNUPGERRSIG "[GNUPG:] ERRSIG" |
b3d44315 MV |
35 | #define GNUPGNOPUBKEY "[GNUPG:] NO_PUBKEY" |
36 | #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG" | |
c5d8878d | 37 | #define GNUPGGOODSIG "[GNUPG:] GOODSIG" |
f13b413a | 38 | #define GNUPGEXPKEYSIG "[GNUPG:] EXPKEYSIG" |
1af227c2 | 39 | #define GNUPGEXPSIG "[GNUPG:] EXPSIG" |
c5d8878d | 40 | #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG" |
2abb68b7 | 41 | #define GNUPGNODATA "[GNUPG:] NODATA" |
29c59095 | 42 | #define APTKEYWARNING "[APTKEY:] WARNING" |
8e438ede | 43 | #define APTKEYERROR "[APTKEY:] ERROR" |
b3d44315 | 44 | |
349c5c89 JAK |
45 | struct Digest { |
46 | enum class State { | |
47 | Untrusted, | |
48 | Weak, | |
49 | Trusted, | |
50 | } state; | |
51 | char name[32]; | |
08b7761a DK |
52 | |
53 | State getState() const { | |
6a4958d3 JAK |
54 | std::string optionUntrusted; |
55 | std::string optionWeak; | |
56 | strprintf(optionUntrusted, "APT::Hashes::%s::Untrusted", name); | |
57 | strprintf(optionWeak, "APT::Hashes::%s::Weak", name); | |
58 | if (_config->FindB(optionUntrusted, state == State::Untrusted) == true) | |
08b7761a | 59 | return State::Untrusted; |
6a4958d3 JAK |
60 | if (_config->FindB(optionWeak, state == State::Weak) == true) |
61 | return State::Weak; | |
62 | ||
63 | return state; | |
08b7761a | 64 | } |
d9105124 JAK |
65 | }; |
66 | ||
349c5c89 JAK |
67 | static constexpr Digest Digests[] = { |
68 | {Digest::State::Untrusted, "Invalid digest"}, | |
69 | {Digest::State::Untrusted, "MD5"}, | |
70 | {Digest::State::Weak, "SHA1"}, | |
71 | {Digest::State::Weak, "RIPE-MD/160"}, | |
72 | {Digest::State::Trusted, "Reserved digest"}, | |
73 | {Digest::State::Trusted, "Reserved digest"}, | |
74 | {Digest::State::Trusted, "Reserved digest"}, | |
75 | {Digest::State::Trusted, "Reserved digest"}, | |
76 | {Digest::State::Trusted, "SHA256"}, | |
77 | {Digest::State::Trusted, "SHA384"}, | |
78 | {Digest::State::Trusted, "SHA512"}, | |
6a4958d3 | 79 | {Digest::State::Trusted, "SHA224"}, |
349c5c89 JAK |
80 | }; |
81 | ||
82 | static Digest FindDigest(std::string const & Digest) | |
83 | { | |
84 | int id = atoi(Digest.c_str()); | |
85 | if (id >= 0 && static_cast<unsigned>(id) < _count(Digests)) { | |
86 | return Digests[id]; | |
87 | } else { | |
88 | return Digests[0]; | |
89 | } | |
90 | } | |
91 | ||
92 | struct Signer { | |
93 | std::string key; | |
94 | std::string note; | |
07ea3af0 | 95 | }; |
08b7761a DK |
96 | static bool IsTheSameKey(std::string const &validsig, std::string const &goodsig) { |
97 | // VALIDSIG reports a keyid (40 = 24 + 16), GOODSIG is a longid (16) only | |
98 | return validsig.compare(24, 16, goodsig, strlen("GOODSIG "), 16) == 0; | |
99 | } | |
07ea3af0 | 100 | |
23e64f6d | 101 | class GPGVMethod : public aptMethod |
b3d44315 MV |
102 | { |
103 | private: | |
da9ed163 | 104 | string VerifyGetSigners(const char *file, const char *outfile, |
b0d40854 DK |
105 | std::string const &key, |
106 | vector<string> &GoodSigners, | |
c5d8878d MV |
107 | vector<string> &BadSigners, |
108 | vector<string> &WorthlessSigners, | |
349c5c89 | 109 | vector<Signer> &SoonWorthlessSigners, |
b3d44315 | 110 | vector<string> &NoPubKeySigners); |
b3d44315 | 111 | protected: |
3b302846 | 112 | virtual bool URIAcquire(std::string const &Message, FetchItem *Itm) APT_OVERRIDE; |
b3d44315 | 113 | public: |
23e64f6d | 114 | GPGVMethod() : aptMethod("gpgv","1.0",SingleInstance | SendConfig) {}; |
b3d44315 | 115 | }; |
5419a6ce DK |
116 | static void PushEntryWithKeyID(std::vector<std::string> &Signers, char * const buffer, bool const Debug) |
117 | { | |
118 | char * const msg = buffer + sizeof(GNUPGPREFIX); | |
119 | char *p = msg; | |
120 | // skip the message | |
121 | while (*p && !isspace(*p)) | |
122 | ++p; | |
123 | // skip the seperator whitespace | |
124 | ++p; | |
125 | // skip the hexdigit fingerprint | |
126 | while (*p && isxdigit(*p)) | |
127 | ++p; | |
128 | // cut the rest from the message | |
129 | *p = '\0'; | |
130 | if (Debug == true) | |
131 | std::clog << "Got " << msg << " !" << std::endl; | |
132 | Signers.push_back(msg); | |
133 | } | |
134 | static void PushEntryWithUID(std::vector<std::string> &Signers, char * const buffer, bool const Debug) | |
135 | { | |
136 | std::string msg = buffer + sizeof(GNUPGPREFIX); | |
137 | auto const nuke = msg.find_last_not_of("\n\t\r"); | |
138 | if (nuke != std::string::npos) | |
139 | msg.erase(nuke + 1); | |
140 | if (Debug == true) | |
141 | std::clog << "Got " << msg << " !" << std::endl; | |
142 | Signers.push_back(msg); | |
143 | } | |
da9ed163 | 144 | string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, |
b0d40854 | 145 | std::string const &key, |
b3d44315 MV |
146 | vector<string> &GoodSigners, |
147 | vector<string> &BadSigners, | |
c5d8878d | 148 | vector<string> &WorthlessSigners, |
349c5c89 | 149 | vector<Signer> &SoonWorthlessSigners, |
b3d44315 MV |
150 | vector<string> &NoPubKeySigners) |
151 | { | |
30060442 | 152 | bool const Debug = DebugEnabled(); |
da9ed163 | 153 | |
46e39c8e MV |
154 | if (Debug == true) |
155 | std::clog << "inside VerifyGetSigners" << std::endl; | |
156 | ||
b3d44315 | 157 | int fd[2]; |
4e03c47d | 158 | bool const keyIsID = (key.empty() == false && key[0] != '/'); |
46e39c8e | 159 | |
b3d44315 | 160 | if (pipe(fd) < 0) |
b3d44315 | 161 | return "Couldn't create pipe"; |
b3d44315 | 162 | |
cf440fac | 163 | pid_t pid = fork(); |
b3d44315 | 164 | if (pid < 0) |
da9ed163 | 165 | return string("Couldn't spawn new process") + strerror(errno); |
b3d44315 | 166 | else if (pid == 0) |
4e03c47d | 167 | ExecGPGV(outfile, file, 3, fd, (keyIsID ? "" : key)); |
b3d44315 MV |
168 | close(fd[1]); |
169 | ||
cf440fac DK |
170 | FILE *pipein = fdopen(fd[0], "r"); |
171 | ||
b39bb552 | 172 | // Loop over the output of apt-key (which really is gnupg), and check the signatures. |
4e03c47d | 173 | std::vector<std::string> ValidSigners; |
08b7761a | 174 | std::vector<std::string> ErrSigners; |
bf6ac7ca DK |
175 | size_t buffersize = 0; |
176 | char *buffer = NULL; | |
2fac0dd5 | 177 | bool gotNODATA = false; |
b3d44315 MV |
178 | while (1) |
179 | { | |
bf6ac7ca DK |
180 | if (getline(&buffer, &buffersize, pipein) == -1) |
181 | break; | |
46e39c8e MV |
182 | if (Debug == true) |
183 | std::clog << "Read: " << buffer << std::endl; | |
b3d44315 MV |
184 | |
185 | // Push the data into three separate vectors, which | |
186 | // we later concatenate. They're kept separate so | |
187 | // if we improve the apt method communication stuff later | |
188 | // it will be better. | |
189 | if (strncmp(buffer, GNUPGBADSIG, sizeof(GNUPGBADSIG)-1) == 0) | |
5419a6ce | 190 | PushEntryWithUID(BadSigners, buffer, Debug); |
08b7761a | 191 | else if (strncmp(buffer, GNUPGERRSIG, sizeof(GNUPGERRSIG)-1) == 0) |
5419a6ce | 192 | PushEntryWithKeyID(ErrSigners, buffer, Debug); |
4e03c47d | 193 | else if (strncmp(buffer, GNUPGNOPUBKEY, sizeof(GNUPGNOPUBKEY)-1) == 0) |
b3d44315 | 194 | { |
5419a6ce | 195 | PushEntryWithKeyID(NoPubKeySigners, buffer, Debug); |
08b7761a | 196 | ErrSigners.erase(std::remove_if(ErrSigners.begin(), ErrSigners.end(), [&](std::string const &errsig) { |
5419a6ce | 197 | return errsig.compare(strlen("ERRSIG "), 16, buffer, sizeof(GNUPGNOPUBKEY), 16) == 0; }), ErrSigners.end()); |
b3d44315 | 198 | } |
2fac0dd5 DK |
199 | else if (strncmp(buffer, GNUPGNODATA, sizeof(GNUPGNODATA)-1) == 0) |
200 | gotNODATA = true; | |
f13b413a | 201 | else if (strncmp(buffer, GNUPGEXPKEYSIG, sizeof(GNUPGEXPKEYSIG)-1) == 0) |
5419a6ce | 202 | PushEntryWithUID(WorthlessSigners, buffer, Debug); |
1af227c2 | 203 | else if (strncmp(buffer, GNUPGEXPSIG, sizeof(GNUPGEXPSIG)-1) == 0) |
5419a6ce | 204 | PushEntryWithUID(WorthlessSigners, buffer, Debug); |
4e03c47d | 205 | else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0) |
5419a6ce | 206 | PushEntryWithUID(WorthlessSigners, buffer, Debug); |
4e03c47d | 207 | else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) |
5419a6ce | 208 | PushEntryWithKeyID(GoodSigners, buffer, Debug); |
4e03c47d DK |
209 | else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0) |
210 | { | |
5419a6ce | 211 | std::istringstream iss(buffer + sizeof(GNUPGVALIDSIG)); |
d9105124 JAK |
212 | vector<string> tokens{std::istream_iterator<string>{iss}, |
213 | std::istream_iterator<string>{}}; | |
5419a6ce | 214 | auto const sig = tokens[0]; |
d9105124 | 215 | // Reject weak digest algorithms |
349c5c89 | 216 | Digest digest = FindDigest(tokens[7]); |
08b7761a | 217 | switch (digest.getState()) { |
349c5c89 | 218 | case Digest::State::Weak: |
07ea3af0 JAK |
219 | // Treat them like an expired key: For that a message about expiry |
220 | // is emitted, a VALIDSIG, but no GOODSIG. | |
5419a6ce | 221 | SoonWorthlessSigners.push_back({sig, digest.name}); |
8fa99570 DK |
222 | if (Debug == true) |
223 | std::clog << "Got weak VALIDSIG, key ID: " << sig << std::endl; | |
349c5c89 JAK |
224 | break; |
225 | case Digest::State::Untrusted: | |
08fd77e8 JAK |
226 | // Treat them like an expired key: For that a message about expiry |
227 | // is emitted, a VALIDSIG, but no GOODSIG. | |
5419a6ce | 228 | WorthlessSigners.push_back(sig); |
08b7761a | 229 | GoodSigners.erase(std::remove_if(GoodSigners.begin(), GoodSigners.end(), [&](std::string const &goodsig) { |
5419a6ce | 230 | return IsTheSameKey(sig, goodsig); }), GoodSigners.end()); |
8fa99570 DK |
231 | if (Debug == true) |
232 | std::clog << "Got untrusted VALIDSIG, key ID: " << sig << std::endl; | |
349c5c89 | 233 | break; |
6a4958d3 JAK |
234 | |
235 | case Digest::State::Trusted: | |
8fa99570 DK |
236 | if (Debug == true) |
237 | std::clog << "Got trusted VALIDSIG, key ID: " << sig << std::endl; | |
349c5c89 | 238 | break; |
08fd77e8 | 239 | } |
d9105124 | 240 | |
5419a6ce | 241 | ValidSigners.push_back(sig); |
4e03c47d | 242 | } |
29c59095 DK |
243 | else if (strncmp(buffer, APTKEYWARNING, sizeof(APTKEYWARNING)-1) == 0) |
244 | Warning("%s", buffer + sizeof(APTKEYWARNING)); | |
8e438ede DK |
245 | else if (strncmp(buffer, APTKEYERROR, sizeof(APTKEYERROR)-1) == 0) |
246 | _error->Error("%s", buffer + sizeof(APTKEYERROR)); | |
b3d44315 MV |
247 | } |
248 | fclose(pipein); | |
1b7bf822 | 249 | free(buffer); |
08b7761a | 250 | std::move(ErrSigners.begin(), ErrSigners.end(), std::back_inserter(WorthlessSigners)); |
b3d44315 | 251 | |
4e03c47d DK |
252 | // apt-key has a --keyid parameter, but this requires gpg, so we call it without it |
253 | // and instead check after the fact which keyids where used for verification | |
254 | if (keyIsID == true) | |
255 | { | |
256 | if (Debug == true) | |
257 | std::clog << "GoodSigs needs to be limited to keyid " << key << std::endl; | |
46e00c90 DK |
258 | bool foundGood = false; |
259 | for (auto const &k: VectorizeString(key, ',')) | |
4e03c47d | 260 | { |
46e00c90 DK |
261 | if (std::find(ValidSigners.begin(), ValidSigners.end(), k) == ValidSigners.end()) |
262 | continue; | |
4e03c47d | 263 | // we look for GOODSIG here as well as an expired sig is a valid sig as well (but not a good one) |
6dc85f53 | 264 | std::string const goodfingerprint = "GOODSIG " + k; |
46e00c90 | 265 | std::string const goodlongkeyid = "GOODSIG " + k.substr(24, 16); |
6dc85f53 | 266 | foundGood = std::find(GoodSigners.begin(), GoodSigners.end(), goodfingerprint) != GoodSigners.end(); |
4e03c47d | 267 | if (Debug == true) |
6dc85f53 DK |
268 | std::clog << "Key " << k << " is valid sig, is " << goodfingerprint << " also a good one? " << (foundGood ? "yes" : "no") << std::endl; |
269 | std::string goodsig; | |
270 | if (foundGood == false) | |
271 | { | |
272 | foundGood = std::find(GoodSigners.begin(), GoodSigners.end(), goodlongkeyid) != GoodSigners.end(); | |
273 | if (Debug == true) | |
274 | std::clog << "Key " << k << " is valid sig, is " << goodlongkeyid << " also a good one? " << (foundGood ? "yes" : "no") << std::endl; | |
275 | goodsig = goodlongkeyid; | |
276 | } | |
277 | else | |
278 | goodsig = goodfingerprint; | |
46e00c90 DK |
279 | if (foundGood == false) |
280 | continue; | |
281 | std::copy(GoodSigners.begin(), GoodSigners.end(), std::back_insert_iterator<std::vector<std::string> >(NoPubKeySigners)); | |
4e03c47d | 282 | GoodSigners.clear(); |
6dc85f53 DK |
283 | GoodSigners.push_back(goodsig); |
284 | NoPubKeySigners.erase( | |
285 | std::remove(NoPubKeySigners.begin(), | |
286 | std::remove(NoPubKeySigners.begin(), NoPubKeySigners.end(), goodfingerprint), | |
287 | goodlongkeyid), | |
288 | NoPubKeySigners.end() | |
289 | ); | |
46e00c90 | 290 | break; |
4e03c47d | 291 | } |
46e00c90 DK |
292 | if (foundGood == false) |
293 | { | |
294 | std::copy(GoodSigners.begin(), GoodSigners.end(), std::back_insert_iterator<std::vector<std::string> >(NoPubKeySigners)); | |
4e03c47d | 295 | GoodSigners.clear(); |
46e00c90 | 296 | } |
4e03c47d DK |
297 | } |
298 | ||
cf440fac | 299 | int status; |
b3d44315 | 300 | waitpid(pid, &status, 0); |
46e39c8e | 301 | if (Debug == true) |
b3d44315 | 302 | { |
2737f28a | 303 | ioprintf(std::clog, "gpgv exited with status %i\n", WEXITSTATUS(status)); |
b3d44315 | 304 | } |
08b7761a DK |
305 | |
306 | if (Debug) | |
307 | { | |
308 | std::cerr << "Summary:" << std::endl << " Good: "; | |
309 | std::copy(GoodSigners.begin(), GoodSigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
310 | std::cerr << std::endl << " Bad: "; | |
311 | std::copy(BadSigners.begin(), BadSigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
312 | std::cerr << std::endl << " Worthless: "; | |
313 | std::copy(WorthlessSigners.begin(), WorthlessSigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
314 | std::cerr << std::endl << " SoonWorthless: "; | |
315 | std::for_each(SoonWorthlessSigners.begin(), SoonWorthlessSigners.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; }); | |
316 | std::cerr << std::endl << " NoPubKey: "; | |
317 | std::copy(NoPubKeySigners.begin(), NoPubKeySigners.end(), std::ostream_iterator<std::string>(std::cerr, ", ")); | |
2fac0dd5 | 318 | std::cerr << std::endl << " NODATA: " << (gotNODATA ? "yes" : "no") << std::endl; |
08b7761a DK |
319 | } |
320 | ||
2fac0dd5 DK |
321 | if (WEXITSTATUS(status) == 112) |
322 | { | |
323 | // acquire system checks for "NODATA" to generate GPG errors (the others are only warnings) | |
324 | std::string errmsg; | |
325 | //TRANSLATORS: %s is a single techy word like 'NODATA' | |
326 | strprintf(errmsg, _("Clearsigned file isn't valid, got '%s' (does the network require authentication?)"), "NODATA"); | |
327 | return errmsg; | |
328 | } | |
329 | else if (gotNODATA) | |
330 | { | |
331 | // acquire system checks for "NODATA" to generate GPG errors (the others are only warnings) | |
332 | std::string errmsg; | |
333 | //TRANSLATORS: %s is a single techy word like 'NODATA' | |
334 | strprintf(errmsg, _("Signed file isn't valid, got '%s' (does the network require authentication?)"), "NODATA"); | |
335 | return errmsg; | |
336 | } | |
337 | else if (WEXITSTATUS(status) == 0) | |
b3d44315 | 338 | { |
4e03c47d DK |
339 | if (keyIsID) |
340 | { | |
341 | // gpgv will report success, but we want to enforce a certain keyring | |
342 | // so if we haven't found the key the valid we found is in fact invalid | |
343 | if (GoodSigners.empty()) | |
344 | return _("At least one invalid signature was encountered."); | |
345 | } | |
346 | else | |
347 | { | |
348 | if (GoodSigners.empty()) | |
349 | return _("Internal error: Good signature, but could not determine key fingerprint?!"); | |
350 | } | |
da9ed163 | 351 | return ""; |
b3d44315 MV |
352 | } |
353 | else if (WEXITSTATUS(status) == 1) | |
339690e4 | 354 | return _("At least one invalid signature was encountered."); |
b3d44315 | 355 | else if (WEXITSTATUS(status) == 111) |
b39bb552 | 356 | return _("Could not execute 'apt-key' to verify signature (is gnupg installed?)"); |
b3d44315 | 357 | else |
b39bb552 | 358 | return _("Unknown error executing apt-key"); |
b3d44315 MV |
359 | } |
360 | ||
b0d40854 | 361 | bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm) |
b3d44315 | 362 | { |
b0d40854 DK |
363 | URI const Get = Itm->Uri; |
364 | string const Path = Get.Host + Get.Path; // To account for relative paths | |
365 | std::string const key = LookupTag(Message, "Signed-By"); | |
b3d44315 MV |
366 | vector<string> GoodSigners; |
367 | vector<string> BadSigners; | |
c5d8878d MV |
368 | // a worthless signature is a expired or revoked one |
369 | vector<string> WorthlessSigners; | |
349c5c89 | 370 | vector<Signer> SoonWorthlessSigners; |
b3d44315 MV |
371 | vector<string> NoPubKeySigners; |
372 | ||
373 | FetchResult Res; | |
374 | Res.Filename = Itm->DestFile; | |
375 | URIStart(Res); | |
376 | ||
b39bb552 | 377 | // Run apt-key on file, extract contents and get the key ID of the signer |
8e438ede | 378 | string const msg = VerifyGetSigners(Path.c_str(), Itm->DestFile.c_str(), key, |
c5d8878d | 379 | GoodSigners, BadSigners, WorthlessSigners, |
07ea3af0 | 380 | SoonWorthlessSigners, NoPubKeySigners); |
8e438ede DK |
381 | if (_error->PendingError()) |
382 | return false; | |
07ea3af0 | 383 | |
8fa99570 DK |
384 | // Check if all good signers are soon worthless and warn in that case |
385 | if (std::all_of(GoodSigners.begin(), GoodSigners.end(), [&](std::string const &good) { | |
386 | return std::any_of(SoonWorthlessSigners.begin(), SoonWorthlessSigners.end(), [&](Signer const &weak) { | |
08b7761a | 387 | return IsTheSameKey(weak.key, good); |
8fa99570 DK |
388 | }); |
389 | })) | |
390 | { | |
07ea3af0 JAK |
391 | for (auto const & Signer : SoonWorthlessSigners) |
392 | // TRANSLATORS: The second %s is the reason and is untranslated for repository owners. | |
5f060c27 | 393 | Warning(_("Signature by key %s uses weak digest algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str()); |
07ea3af0 JAK |
394 | } |
395 | ||
b3d44315 MV |
396 | if (GoodSigners.empty() || !BadSigners.empty() || !NoPubKeySigners.empty()) |
397 | { | |
398 | string errmsg; | |
399 | // In this case, something bad probably happened, so we just go | |
400 | // with what the other method gave us for an error message. | |
c5d8878d | 401 | if (BadSigners.empty() && WorthlessSigners.empty() && NoPubKeySigners.empty()) |
b3d44315 MV |
402 | errmsg = msg; |
403 | else | |
404 | { | |
405 | if (!BadSigners.empty()) | |
406 | { | |
339690e4 | 407 | errmsg += _("The following signatures were invalid:\n"); |
b3d44315 | 408 | for (vector<string>::iterator I = BadSigners.begin(); |
f7f0d6c7 | 409 | I != BadSigners.end(); ++I) |
b3d44315 MV |
410 | errmsg += (*I + "\n"); |
411 | } | |
c5d8878d MV |
412 | if (!WorthlessSigners.empty()) |
413 | { | |
414 | errmsg += _("The following signatures were invalid:\n"); | |
415 | for (vector<string>::iterator I = WorthlessSigners.begin(); | |
f7f0d6c7 | 416 | I != WorthlessSigners.end(); ++I) |
c5d8878d MV |
417 | errmsg += (*I + "\n"); |
418 | } | |
b3d44315 MV |
419 | if (!NoPubKeySigners.empty()) |
420 | { | |
339690e4 | 421 | errmsg += _("The following signatures couldn't be verified because the public key is not available:\n"); |
b3d44315 | 422 | for (vector<string>::iterator I = NoPubKeySigners.begin(); |
f7f0d6c7 | 423 | I != NoPubKeySigners.end(); ++I) |
b3d44315 MV |
424 | errmsg += (*I + "\n"); |
425 | } | |
426 | } | |
ce424cd4 MV |
427 | // this is only fatal if we have no good sigs or if we have at |
428 | // least one bad signature. good signatures and NoPubKey signatures | |
429 | // happen easily when a file is signed with multiple signatures | |
430 | if(GoodSigners.empty() or !BadSigners.empty()) | |
f23153d0 | 431 | return _error->Error("%s", errmsg.c_str()); |
b3d44315 MV |
432 | } |
433 | ||
b3d44315 MV |
434 | // Just pass the raw output up, because passing it as a real data |
435 | // structure is too difficult with the method stuff. We keep it | |
436 | // as three separate vectors for future extensibility. | |
437 | Res.GPGVOutput = GoodSigners; | |
5419a6ce DK |
438 | std::move(BadSigners.begin(), BadSigners.end(), std::back_inserter(Res.GPGVOutput)); |
439 | std::move(NoPubKeySigners.begin(), NoPubKeySigners.end(), std::back_inserter(Res.GPGVOutput)); | |
b3d44315 MV |
440 | URIDone(Res); |
441 | ||
30060442 | 442 | if (DebugEnabled()) |
b39bb552 | 443 | std::clog << "apt-key succeeded\n"; |
b3d44315 MV |
444 | |
445 | return true; | |
446 | } | |
447 | ||
448 | ||
449 | int main() | |
450 | { | |
8b79c94a | 451 | return GPGVMethod().Run(); |
b3d44315 | 452 | } |