]> git.saurik.com Git - apt.git/blob - methods/gpgv.cc
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
* added apt-ftparchive.conf example
[apt.git] / methods / gpgv.cc
1 #include <apt-pkg/error.h>
2 #include <apt-pkg/acquire-method.h>
3 #include <apt-pkg/strutl.h>
4 #include <apti18n.h>
5
6 #include <sys/stat.h>
7 #include <unistd.h>
8 #include <utime.h>
9 #include <stdio.h>
10 #include <fcntl.h>
11 #include <errno.h>
12 #include <sys/wait.h>
13 #include <iostream>
14
15 #define GNUPGPREFIX "[GNUPG:]"
16 #define GNUPGBADSIG "[GNUPG:] BADSIG"
17 #define GNUPGNOPUBKEY "[GNUPG:] NO_PUBKEY"
18 #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG"
19
20 class GPGVMethod : public pkgAcqMethod
21 {
22 private:
23 const char *VerifyGetSigners(const char *file, const char *outfile,
24 vector<string> &GoodSigners, vector<string> &BadSigners,
25 vector<string> &NoPubKeySigners);
26
27 protected:
28 virtual bool Fetch(FetchItem *Itm);
29
30 public:
31
32 GPGVMethod() : pkgAcqMethod("1.0",SingleInstance | SendConfig) {};
33 };
34
35 const char *GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
36 vector<string> &GoodSigners,
37 vector<string> &BadSigners,
38 vector<string> &NoPubKeySigners)
39 {
40 if (_config->FindB("Debug::Acquire::gpgv", false))
41 {
42 std::cerr << "inside VerifyGetSigners" << std::endl;
43 }
44 pid_t pid;
45 int fd[2];
46 FILE *pipein;
47 int status;
48 struct stat buff;
49 string gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv");
50 string pubringpath = _config->Find("APT::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg");
51 if (_config->FindB("Debug::Acquire::gpgv", false))
52 {
53 std::cerr << "gpgv path: " << gpgvpath << std::endl;
54 std::cerr << "Keyring path: " << pubringpath << std::endl;
55 }
56
57 if (stat(pubringpath.c_str(), &buff) != 0)
58 return (string("Couldn't access keyring: ") + strerror(errno)).c_str();
59
60 if (pipe(fd) < 0)
61 {
62 return "Couldn't create pipe";
63 }
64
65 pid = fork();
66 if (pid < 0)
67 {
68 return (string("Couldn't spawn new process") + strerror(errno)).c_str();
69 }
70 else if (pid == 0)
71 {
72 const char *Args[400];
73 unsigned int i = 0;
74
75 Args[i++] = gpgvpath.c_str();
76 Args[i++] = "--status-fd";
77 Args[i++] = "3";
78 Args[i++] = "--keyring";
79 Args[i++] = pubringpath.c_str();
80
81 Configuration::Item const *Opts;
82 Opts = _config->Tree("Acquire::gpgv::Options");
83 if (Opts != 0)
84 {
85 Opts = Opts->Child;
86 for (; Opts != 0; Opts = Opts->Next)
87 {
88 if (Opts->Value.empty() == true)
89 continue;
90 Args[i++] = Opts->Value.c_str();
91 if(i >= 395) {
92 std::cerr << _("E: Argument list from Acquire::gpgv::Options too long. Exiting.") << std::endl;
93 exit(111);
94 }
95 }
96 }
97 Args[i++] = file;
98 Args[i++] = outfile;
99 Args[i++] = NULL;
100
101 if (_config->FindB("Debug::Acquire::gpgv", false))
102 {
103 std::cerr << "Preparing to exec: " << gpgvpath;
104 for(unsigned int j=0;Args[j] != NULL; j++)
105 std::cerr << " " << Args[j];
106 std::cerr << std::endl;
107 }
108 int nullfd = open("/dev/null", O_RDONLY);
109 close(fd[0]);
110 // Redirect output to /dev/null; we read from the status fd
111 dup2(nullfd, STDOUT_FILENO);
112 dup2(nullfd, STDERR_FILENO);
113 // Redirect the pipe to the status fd (3)
114 dup2(fd[1], 3);
115
116 putenv("LANG=");
117 putenv("LC_ALL=");
118 putenv("LC_MESSAGES=");
119 execvp(gpgvpath.c_str(), (char **)Args);
120
121 exit(111);
122 }
123 close(fd[1]);
124
125 pipein = fdopen(fd[0], "r");
126
127 // Loop over the output of gpgv, and check the signatures.
128 size_t buffersize = 64;
129 char *buffer = (char *) malloc(buffersize);
130 size_t bufferoff = 0;
131 while (1)
132 {
133 int c;
134
135 // Read a line. Sigh.
136 while ((c = getc(pipein)) != EOF && c != '\n')
137 {
138 if (bufferoff == buffersize)
139 buffer = (char *) realloc(buffer, buffersize *= 2);
140 *(buffer+bufferoff) = c;
141 bufferoff++;
142 }
143 if (bufferoff == 0 && c == EOF)
144 break;
145 *(buffer+bufferoff) = '\0';
146 bufferoff = 0;
147 if (_config->FindB("Debug::Acquire::gpgv", false))
148 std::cerr << "Read: " << buffer << std::endl;
149
150 // Push the data into three separate vectors, which
151 // we later concatenate. They're kept separate so
152 // if we improve the apt method communication stuff later
153 // it will be better.
154 if (strncmp(buffer, GNUPGBADSIG, sizeof(GNUPGBADSIG)-1) == 0)
155 {
156 if (_config->FindB("Debug::Acquire::gpgv", false))
157 std::cerr << "Got BADSIG! " << std::endl;
158 BadSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
159 }
160
161 if (strncmp(buffer, GNUPGNOPUBKEY, sizeof(GNUPGNOPUBKEY)-1) == 0)
162 {
163 if (_config->FindB("Debug::Acquire::gpgv", false))
164 std::cerr << "Got NO_PUBKEY " << std::endl;
165 NoPubKeySigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
166 }
167
168 if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0)
169 {
170 char *sig = buffer + sizeof(GNUPGPREFIX);
171 char *p = sig + sizeof("VALIDSIG");
172 while (*p && isxdigit(*p))
173 p++;
174 *p = 0;
175 if (_config->FindB("Debug::Acquire::gpgv", false))
176 std::cerr << "Got VALIDSIG, key ID:" << sig << std::endl;
177 GoodSigners.push_back(string(sig));
178 }
179 }
180 fclose(pipein);
181
182 waitpid(pid, &status, 0);
183 if (_config->FindB("Debug::Acquire::gpgv", false))
184 {
185 std::cerr << "gpgv exited\n";
186 }
187
188 if (WEXITSTATUS(status) == 0)
189 {
190 if (GoodSigners.empty())
191 return _("Internal error: Good signature, but could not determine key fingerprint?!");
192 return NULL;
193 }
194 else if (WEXITSTATUS(status) == 1)
195 {
196 return _("At least one invalid signature was encountered.");
197 }
198 else if (WEXITSTATUS(status) == 111)
199 {
200 // FIXME String concatenation considered harmful.
201 return (string(_("Could not execute ")) + gpgvpath +
202 string(_(" to verify signature (is gnupg installed?)"))).c_str();
203 }
204 else
205 {
206 return _("Unknown error executing gpgv");
207 }
208 }
209
210 bool GPGVMethod::Fetch(FetchItem *Itm)
211 {
212 URI Get = Itm->Uri;
213 string Path = Get.Host + Get.Path; // To account for relative paths
214 string keyID;
215 vector<string> GoodSigners;
216 vector<string> BadSigners;
217 vector<string> NoPubKeySigners;
218
219 FetchResult Res;
220 Res.Filename = Itm->DestFile;
221 URIStart(Res);
222
223 // Run gpgv on file, extract contents and get the key ID of the signer
224 const char *msg = VerifyGetSigners(Path.c_str(), Itm->DestFile.c_str(),
225 GoodSigners, BadSigners, NoPubKeySigners);
226 if (GoodSigners.empty() || !BadSigners.empty() || !NoPubKeySigners.empty())
227 {
228 string errmsg;
229 // In this case, something bad probably happened, so we just go
230 // with what the other method gave us for an error message.
231 if (BadSigners.empty() && NoPubKeySigners.empty())
232 errmsg = msg;
233 else
234 {
235 if (!BadSigners.empty())
236 {
237 errmsg += _("The following signatures were invalid:\n");
238 for (vector<string>::iterator I = BadSigners.begin();
239 I != BadSigners.end(); I++)
240 errmsg += (*I + "\n");
241 }
242 if (!NoPubKeySigners.empty())
243 {
244 errmsg += _("The following signatures couldn't be verified because the public key is not available:\n");
245 for (vector<string>::iterator I = NoPubKeySigners.begin();
246 I != NoPubKeySigners.end(); I++)
247 errmsg += (*I + "\n");
248 }
249 }
250 return _error->Error(errmsg.c_str());
251 }
252
253 // Transfer the modification times
254 struct stat Buf;
255 if (stat(Path.c_str(),&Buf) != 0)
256 return _error->Errno("stat",_("Failed to stat %s"), Path.c_str());
257
258 struct utimbuf TimeBuf;
259 TimeBuf.actime = Buf.st_atime;
260 TimeBuf.modtime = Buf.st_mtime;
261 if (utime(Itm->DestFile.c_str(),&TimeBuf) != 0)
262 return _error->Errno("utime",_("Failed to set modification time"));
263
264 if (stat(Itm->DestFile.c_str(),&Buf) != 0)
265 return _error->Errno("stat",_("Failed to stat"));
266
267 // Return a Done response
268 Res.LastModified = Buf.st_mtime;
269 Res.Size = Buf.st_size;
270 // Just pass the raw output up, because passing it as a real data
271 // structure is too difficult with the method stuff. We keep it
272 // as three separate vectors for future extensibility.
273 Res.GPGVOutput = GoodSigners;
274 Res.GPGVOutput.insert(Res.GPGVOutput.end(),BadSigners.begin(),BadSigners.end());
275 Res.GPGVOutput.insert(Res.GPGVOutput.end(),NoPubKeySigners.begin(),NoPubKeySigners.end());
276 URIDone(Res);
277
278 if (_config->FindB("Debug::Acquire::gpgv", false))
279 {
280 std::cerr << "gpgv succeeded\n";
281 }
282
283 return true;
284 }
285
286
287 int main()
288 {
289 setlocale(LC_ALL, "");
290
291 GPGVMethod Mth;
292
293 return Mth.Run();
294 }
APT (for Cydia)