]> git.saurik.com Git - apt.git/blob - methods/gpgv.cc
projects / apt.git / blob
? search:


79705fe5edcc66781c56d003ea16840662c34f18
[apt.git] / methods / gpgv.cc
1 #include <apt-pkg/error.h>
2 #include <apt-pkg/acquire-method.h>
3 #include <apt-pkg/strutl.h>
4
5 #include <sys/stat.h>
6 #include <unistd.h>
7 #include <utime.h>
8 #include <stdio.h>
9 #include <fcntl.h>
10 #include <errno.h>
11 #include <sys/wait.h>
12 #include <iostream>
13
14 #define GNUPGPREFIX "[GNUPG:]"
15 #define GNUPGBADSIG "[GNUPG:] BADSIG"
16 #define GNUPGNOPUBKEY "[GNUPG:] NO_PUBKEY"
17 #define GNUPGVALIDSIG "[GNUPG:] VALIDSIG"
18
19 class GPGVMethod : public pkgAcqMethod
20 {
21 private:
22 const char *VerifyGetSigners(const char *file, const char *outfile,
23 vector<string> &GoodSigners, vector<string> &BadSigners,
24 vector<string> &NoPubKeySigners);
25
26 protected:
27 virtual bool Fetch(FetchItem *Itm);
28
29 public:
30
31 GPGVMethod() : pkgAcqMethod("1.0",SingleInstance | SendConfig) {};
32 };
33
34 const char *GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
35 vector<string> &GoodSigners,
36 vector<string> &BadSigners,
37 vector<string> &NoPubKeySigners)
38 {
39 if (_config->FindB("Debug::Acquire::gpgv", false))
40 {
41 std::cerr << "inside VerifyGetSigners" << std::endl;
42 }
43 pid_t pid;
44 int fd[2];
45 FILE *pipein;
46 int status;
47 struct stat buff;
48 string gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv");
49 string pubringpath = _config->Find("Apt::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg");
50 if (_config->FindB("Debug::Acquire::gpgv", false))
51 {
52 std::cerr << "gpgv path: " << gpgvpath << std::endl;
53 std::cerr << "Keyring path: " << pubringpath << std::endl;
54 }
55
56 if (stat(pubringpath.c_str(), &buff) != 0)
57 return (string("Couldn't access keyring: ") + strerror(errno)).c_str();
58
59 if (pipe(fd) < 0)
60 {
61 return "Couldn't create pipe";
62 }
63
64 pid = fork();
65 if (pid < 0)
66 {
67 return (string("Couldn't spawn new process") + strerror(errno)).c_str();
68 }
69 else if (pid == 0)
70 {
71 const char *Args[400];
72 unsigned int i = 0;
73
74 Args[i++] = gpgvpath.c_str();
75 Args[i++] = "--status-fd";
76 Args[i++] = "3";
77 Args[i++] = "--keyring";
78 Args[i++] = pubringpath.c_str();
79
80 Configuration::Item const *Opts;
81 Opts = _config->Tree("Acquire::gpgv::Options");
82 if (Opts != 0)
83 {
84 Opts = Opts->Child;
85 for (; Opts != 0; Opts = Opts->Next)
86 {
87 if (Opts->Value.empty() == true)
88 continue;
89 Args[i++] = Opts->Value.c_str();
90 if(i >= 395) {
91 std::cerr << "E: Argument list from Acquire::gpgv::Options too long. Exiting." << std::endl;
92 exit(111);
93 }
94 }
95 }
96 Args[i++] = file;
97 Args[i++] = outfile;
98 Args[i++] = NULL;
99
100 if (_config->FindB("Debug::Acquire::gpgv", false))
101 {
102 std::cerr << "Preparing to exec: " << gpgvpath;
103 int j;
104 for(j=0;Args[j] != NULL; j++)
105 std::cerr << Args[j] << " ";
106 std::cerr << std::endl;
107 }
108 int nullfd = open("/dev/null", O_RDONLY);
109 close(fd[0]);
110 // Redirect output to /dev/null; we read from the status fd
111 dup2(nullfd, STDOUT_FILENO);
112 dup2(nullfd, STDERR_FILENO);
113 // Redirect the pipe to the status fd (3)
114 dup2(fd[1], 3);
115
116 putenv("LANG=");
117 putenv("LC_ALL=");
118 putenv("LC_MESSAGES=");
119 execvp(gpgvpath.c_str(), (char **)Args);
120
121 exit(111);
122 }
123 close(fd[1]);
124
125 pipein = fdopen(fd[0], "r");
126
127 // Loop over the output of gpgv, and check the signatures.
128 size_t buffersize = 64;
129 char *buffer = (char *) malloc(buffersize);
130 size_t bufferoff = 0;
131 while (1)
132 {
133 int c;
134
135 // Read a line. Sigh.
136 while ((c = getc(pipein)) != EOF && c != '\n')
137 {
138 if (bufferoff == buffersize)
139 buffer = (char *) realloc(buffer, buffersize *= 2);
140 *(buffer+bufferoff) = c;
141 bufferoff++;
142 }
143 if (bufferoff == 0 && c == EOF)
144 break;
145 *(buffer+bufferoff) = '\0';
146 bufferoff = 0;
147 if (_config->FindB("Debug::Acquire::gpgv", false))
148 std::cerr << "Read: " << buffer << std::endl;
149
150 // Push the data into three separate vectors, which
151 // we later concatenate. They're kept separate so
152 // if we improve the apt method communication stuff later
153 // it will be better.
154 if (strncmp(buffer, GNUPGBADSIG, sizeof(GNUPGBADSIG)-1) == 0)
155 {
156 if (_config->FindB("Debug::Acquire::gpgv", false))
157 std::cerr << "Got BADSIG! " << std::endl;
158 BadSigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
159 }
160
161 if (strncmp(buffer, GNUPGNOPUBKEY, sizeof(GNUPGNOPUBKEY)-1) == 0)
162 {
163 if (_config->FindB("Debug::Acquire::gpgv", false))
164 std::cerr << "Got NO_PUBKEY " << std::endl;
165 NoPubKeySigners.push_back(string(buffer+sizeof(GNUPGPREFIX)));
166 }
167
168 if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0)
169 {
170 char *sig = buffer + sizeof(GNUPGPREFIX);
171 char *p = sig + sizeof("VALIDSIG");
172 while (*p && isxdigit(*p))
173 p++;
174 *p = 0;
175 if (_config->FindB("Debug::Acquire::gpgv", false))
176 std::cerr << "Got VALIDSIG, key ID:" << sig << std::endl;
177 GoodSigners.push_back(string(sig));
178 }
179 }
180 fclose(pipein);
181
182 waitpid(pid, &status, 0);
183 if (_config->FindB("Debug::Acquire::gpgv", false))
184 {
185 std::cerr <<"gpgv exited\n";
186 }
187
188 if (WEXITSTATUS(status) == 0)
189 {
190 if (GoodSigners.empty())
191 return "Internal error: Good signature, but could not determine key fingerprint?!";
192 return NULL;
193 }
194 else if (WEXITSTATUS(status) == 1)
195 {
196 return "At least one invalid signature was encountered.";
197 }
198 else if (WEXITSTATUS(status) == 111)
199 {
200 return (string("Could not execute ") + gpgvpath +
201 string(" to verify signature (is gnupg installed?)")).c_str();
202 }
203 else
204 {
205 return "Unknown error executing gpgv";
206 }
207 }
208
209 bool GPGVMethod::Fetch(FetchItem *Itm)
210 {
211 URI Get = Itm->Uri;
212 string Path = Get.Host + Get.Path; // To account for relative paths
213 string keyID;
214 vector<string> GoodSigners;
215 vector<string> BadSigners;
216 vector<string> NoPubKeySigners;
217
218 FetchResult Res;
219 Res.Filename = Itm->DestFile;
220 URIStart(Res);
221
222 // Run gpgv on file, extract contents and get the key ID of the signer
223 const char *msg = VerifyGetSigners(Path.c_str(), Itm->DestFile.c_str(),
224 GoodSigners, BadSigners, NoPubKeySigners);
225 if (GoodSigners.empty() || !BadSigners.empty() || !NoPubKeySigners.empty())
226 {
227 string errmsg;
228 // In this case, something bad probably happened, so we just go
229 // with what the other method gave us for an error message.
230 if (BadSigners.empty() && NoPubKeySigners.empty())
231 errmsg = msg;
232 else
233 {
234 if (!BadSigners.empty())
235 {
236 errmsg += "The following signatures were invalid:\n";
237 for (vector<string>::iterator I = BadSigners.begin();
238 I != BadSigners.end(); I++)
239 errmsg += (*I + "\n");
240 }
241 if (!NoPubKeySigners.empty())
242 {
243 errmsg += "The following signatures couldn't be verified because the public key is not available:\n";
244 for (vector<string>::iterator I = NoPubKeySigners.begin();
245 I != NoPubKeySigners.end(); I++)
246 errmsg += (*I + "\n");
247 }
248 }
249 return _error->Error(errmsg.c_str());
250 }
251
252 // Transfer the modification times
253 struct stat Buf;
254 if (stat(Path.c_str(),&Buf) != 0)
255 return _error->Errno("stat","Failed to stat %s", Path.c_str());
256
257 struct utimbuf TimeBuf;
258 TimeBuf.actime = Buf.st_atime;
259 TimeBuf.modtime = Buf.st_mtime;
260 if (utime(Itm->DestFile.c_str(),&TimeBuf) != 0)
261 return _error->Errno("utime","Failed to set modification time");
262
263 if (stat(Itm->DestFile.c_str(),&Buf) != 0)
264 return _error->Errno("stat","Failed to stat");
265
266 // Return a Done response
267 Res.LastModified = Buf.st_mtime;
268 Res.Size = Buf.st_size;
269 // Just pass the raw output up, because passing it as a real data
270 // structure is too difficult with the method stuff. We keep it
271 // as three separate vectors for future extensibility.
272 Res.GPGVOutput = GoodSigners;
273 Res.GPGVOutput.insert(Res.GPGVOutput.end(),BadSigners.begin(),BadSigners.end());
274 Res.GPGVOutput.insert(Res.GPGVOutput.end(),NoPubKeySigners.begin(),NoPubKeySigners.end());
275 URIDone(Res);
276
277 if (_config->FindB("Debug::Acquire::gpgv", false))
278 {
279 std::cerr <<"gpgv suceeded\n";
280 }
281
282 return true;
283 }
284
285
286 int main()
287 {
288 GPGVMethod Mth;
289
290 return Mth.Run();
291 }
APT (for Cydia)