check when finished downloading the InRelease file if it has the expected gpg clearsi...

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index a30e98858adf645763408442fc185ade9a1413e7..9723cddac59e41b5fe081bd474367e5036a9a3d2 100644 (file)
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1235,9 +1235,17 @@ void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,string Hash,   /
       }
       else
       {
+         // if we expect a ClearTextSignature (InRelase), ensure that
+         // this is what we get and if not fail to queue a 
+         // Release/Release.gpg, see #346386
+         if (SigFile == DestFile && !IsPgpClearTextSignature(DestFile))
+         {
+            Failed(Message, Cfg);
+            return;
+         }
+
          // There was a signature file, so pass it to gpgv for
          // verification
-
          if (_config->FindB("Debug::pkgAcquire::Auth", false))
             std::cerr << "Metaindex acquired, queueing gpg verification ("
                       << SigFile << "," << DestFile << ")\n";

diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc
index 1808489d7d276cc47c23afdde3589e0301c3fed8..7af5f5f5e1675824a244bb885a250984062f7125 100644 (file)
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -824,6 +824,26 @@ bool ExecWait(pid_t Pid,const char *Name,bool Reap)
 }
                                                                        /*}}}*/
 
+// IsPgpClearTextSignature - Check if a file is Pgp/GPG clearsigned     /*{{{*/
+// ---------------------------------------------------------------------
+/* */
+bool IsPgpClearTextSignature(string const &FileName)
+{
+   static const char* SIGMSG = "-----BEGIN PGP SIGNED MESSAGE-----\n";
+   char buffer[sizeof(SIGMSG)];
+   FILE* gpg = fopen(FileName.c_str(), "r");
+   if (gpg == NULL)
+      return false;
+
+   char const * const test = fgets(buffer, sizeof(buffer), gpg);
+   fclose(gpg);
+   if (test == NULL || strcmp(buffer, SIGMSG) != 0)
+      return false;
+
+   return true;
+}
+
+
 // FileFd::Open - Open a file                                          /*{{{*/
 // ---------------------------------------------------------------------
 /* The most commonly used open mode combinations are given with Mode */

diff --git a/apt-pkg/contrib/fileutl.h b/apt-pkg/contrib/fileutl.h
index 1ca41cb7d66c6b21cc3950613e30f696f4e6357b..c51add66e7417491826039bff919e08dab6e4389 100644 (file)
--- a/apt-pkg/contrib/fileutl.h
+++ b/apt-pkg/contrib/fileutl.h
@@ -179,6 +179,8 @@ bool WaitFd(int Fd,bool write = false,unsigned long timeout = 0);
 pid_t ExecFork();
 bool ExecWait(pid_t Pid,const char *Name,bool Reap = false);
 
+bool IsPgpClearTextSignature(std::string const &FileName);
+
 // File string manipulators
 std::string flNotDir(std::string File);
 std::string flNotFile(std::string File);
@@ -186,4 +188,6 @@ std::string flNoLink(std::string File);
 std::string flExtension(std::string File);
 std::string flCombine(std::string Dir,std::string File);
 
+
+
 #endif

diff --git a/apt-pkg/indexcopy.cc b/apt-pkg/indexcopy.cc
index e29e2819cb5eb5a806da8a757624999cc2534a06..db3d10ecd64dcfc78a4ee6a493a104f55fc63642 100644 (file)
--- a/apt-pkg/indexcopy.cc
+++ b/apt-pkg/indexcopy.cc
@@ -648,16 +648,12 @@ bool SigVerify::RunGPGV(std::string const &File, std::string const &FileGPG,
 {
    if (File == FileGPG)
    {
-      #define SIGMSG "-----BEGIN PGP SIGNED MESSAGE-----\n"
-      char buffer[sizeof(SIGMSG)];
       FILE* gpg = fopen(File.c_str(), "r");
       if (gpg == NULL)
         return _error->Errno("RunGPGV", _("Could not open file %s"), File.c_str());
-      char const * const test = fgets(buffer, sizeof(buffer), gpg);
       fclose(gpg);
-      if (test == NULL || strcmp(buffer, SIGMSG) != 0)
+      if (!IsPgpClearTextSignature(File))
         return _error->Error(_("File %s doesn't start with a clearsigned message"), File.c_str());
-      #undef SIGMSG
    }