Package: debsig-verify Version: 0.10 Hello,
because we want to use debsig-verify as part of the click project I asked the ubuntu security team for a quick code review [1]. There were some issues raised, notably that some error checks are missing and that the use of the global state. Attached are two patches that add some additional error checking. I also started with the removal of the global state (attached as well). However it is not very elegant and I wonder if it would make more sense to have a """ struct ds_ctx { char *deb, FILE *deb_fs, char *originID } """ that is passed around as the context instead of my current approach. And please let me know if you prefer a different workflow for (many) patches like this, I can also publish my git branch somewhere if that is easier for you. Feedback/review welcome! Thanks, Michael [1] https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/comments/2
>From 8b89723dc6618d2718b4fa83d01c5df03ac83fca Mon Sep 17 00:00:00 2001 From: Michael Vogt <m...@ubuntu.com> Date: Tue, 19 Aug 2014 10:09:24 +0200 Subject: [PATCH 1/5] add error checking on fork() --- gpg-parse.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/gpg-parse.c b/gpg-parse.c index ab450af..14a9175 100644 --- a/gpg-parse.c +++ b/gpg-parse.c @@ -20,7 +20,7 @@ /* * routines to parse gpg output */ - +#include <errno.h> #include <stdio.h> #include <string.h> #include <sys/types.h> @@ -120,7 +120,10 @@ char *getSigKeyID (const char *deb, const char *type) { (ds_write = fdopen(pwrite[1], "w")) == NULL) ds_fail_printf(DS_FAIL_INTERNAL, "error opening file stream for gpg"); - if (!(pid = fork())) { + pid = fork(); + if(pid < 0) + ds_fail_printf(DS_FAIL_INTERNAL, "failed to fork (errno %s)", strerror(errno)); + if (pid == 0) { /* Here we go */ dup2(pread[1],1); close(pread[0]); close(pread[1]); dup2(pwrite[0],0); close(pwrite[0]); close(pwrite[1]); @@ -186,7 +189,10 @@ int gpgVerify(const char *data, struct match *mtc, const char *sig) { return 0; } - if (!(pid = fork())) { + pid = fork(); + if(pid < 0) + ds_fail_printf(DS_FAIL_INTERNAL, "failed to fork (%s)", strerror(errno)); + if (pid == 0) { if (DS_LEV_DEBUG < ds_debug_level) { close(0); close(1); close(2); } -- 2.0.0.rc0
>From 8bc395f20d958cde6bf079d130a3de7118a922d5 Mon Sep 17 00:00:00 2001 From: Michael Vogt <m...@ubuntu.com> Date: Tue, 19 Aug 2014 10:30:20 +0200 Subject: [PATCH 2/5] add error/eof checking into getSigKeyID() --- gpg-parse.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/gpg-parse.c b/gpg-parse.c index 14a9175..e051519 100644 --- a/gpg-parse.c +++ b/gpg-parse.c @@ -98,13 +98,13 @@ char *getKeyID (const struct match *mtc) { } char *getSigKeyID (const char *deb, const char *type) { - static char buf[2048]; + char buf[2048]; int pread[2], pwrite[2], t; - off_t len = checkSigExist(type); pid_t pid; FILE *ds_read, *ds_write; char *c, *ret = NULL; + off_t len = checkSigExist(type); if (!len) return NULL; @@ -134,15 +134,19 @@ char *getSigKeyID (const char *deb, const char *type) { /* First, let's feed gpg our signature. Don't forget, our call to * checkSigExist() above positioned the deb_fs file pointer already. */ - t = fread(buf, 1, sizeof(buf), deb_fs); - while(len > 0) { + do { + t = fread(buf, 1, sizeof(buf), deb_fs); + if (ferror(deb_fs)) + ds_fail_printf(DS_FAIL_INTERNAL, "getSigKeyID: error reading signature (%s)", + strerror(errno)); + if (t > len) fwrite(buf, 1, len, ds_write); else fwrite(buf, 1, t, ds_write); len -= t; - t = fread(buf, 1, sizeof(buf), deb_fs); - } + } while(len > 0 || !feof(deb_fs)); + if (ferror(ds_write)) ds_fail_printf(DS_FAIL_INTERNAL, "error writing to gpg"); fclose(ds_write); -- 2.0.0.rc0
>From 3096b1471e3248b09d4d5eaec618a1002e6acf8c Mon Sep 17 00:00:00 2001 From: Michael Vogt <m...@ubuntu.com> Date: Tue, 19 Aug 2014 10:44:58 +0200 Subject: [PATCH 3/5] remove global *deb var --- ar-parse.c | 2 +- debsig-verify.c | 23 +++++++++++------------ debsig.h | 4 ++-- gpg-parse.c | 2 +- misc.c | 4 ++-- 5 files changed, 17 insertions(+), 18 deletions(-) diff --git a/ar-parse.c b/ar-parse.c index 477bf15..5146491 100644 --- a/ar-parse.c +++ b/ar-parse.c @@ -39,7 +39,7 @@ * nothing important is going to be zero length anyway, so we treat it as * "non-existant". */ off_t -findMember(const char *name) +findMember(const char *deb, const char *name) { char magic[SARMAG+1]; struct ar_hdr arh; diff --git a/debsig-verify.c b/debsig-verify.c index 6adf7a9..33aaa1a 100644 --- a/debsig-verify.c +++ b/debsig-verify.c @@ -36,7 +36,6 @@ char originID[2048]; char *rootdir = ""; -char *deb = NULL; FILE *deb_fs = NULL; #define CTAR(x) "control.tar" # x @@ -68,7 +67,7 @@ static int checkSelRules(struct group *grp, const char *deb) { * specified, don't we? */ - len = checkSigExist(mtc->name); + len = checkSigExist(deb, mtc->name); /* If the member exists and we reject it, fail now. Also, if it * doesn't exist, and we require it, fail as well. */ @@ -135,12 +134,12 @@ static int verifyGroupRules(struct group *grp, const char *deb) { /* Now, let's find all the members we need to check and cat them into a * single temp file. This is what we pass to gpg. */ - if (!(len = findMember(ver_magic_member))) + if (!(len = findMember(deb, ver_magic_member))) goto fail_and_close; len = passthrough(deb_fs, fp, len); for (i = 0; ver_ctrl_members[i]; i++) { - if (!(len = findMember(ver_ctrl_members[i]))) + if (!(len = findMember(deb, ver_ctrl_members[i]))) continue; len = passthrough(deb_fs, fp, len); break; @@ -149,7 +148,7 @@ static int verifyGroupRules(struct group *grp, const char *deb) { goto fail_and_close; for (i = 0; ver_data_members[i]; i++) { - if (!(len = findMember(ver_data_members[i]))) + if (!(len = findMember(deb, ver_data_members[i]))) continue; len = passthrough(deb_fs, fp, len); break; @@ -174,7 +173,7 @@ static int verifyGroupRules(struct group *grp, const char *deb) { } /* This will also position deb_fs to the start of the member */ - len = checkSigExist(mtc->name); + len = checkSigExist(deb, mtc->name); /* If the member exists and we reject it, die now. Also, if it * doesn't exist, and we require it, die as well. */ @@ -233,17 +232,17 @@ fail_and_close: return 0; } -static int checkIsDeb(void) { +static int checkIsDeb(const char *deb) { int i; const char *member; - if (!findMember(ver_magic_member)) { + if (!findMember(deb, ver_magic_member)) { ds_printf(DS_LEV_VER, "Missing archive magic member %s", ver_magic_member); return 0; } for (i = 0; (member = ver_ctrl_members[i]); i++) - if (findMember(member)) + if (findMember(deb, member)) break; if (!member) { ds_printf(DS_LEV_VER, "Missing archive control member, checked:"); @@ -253,7 +252,7 @@ static int checkIsDeb(void) { } for (i = 0; (member = ver_data_members[i]); i++) - if (findMember(member)) + if (findMember(deb, member)) break; if (!member) { ds_printf(DS_LEV_VER, "Missing archive data member, checked:"); @@ -362,7 +361,7 @@ int main(int argc, char *argv[]) { if (i + 1 != argc) /* There should only be one arg left */ outputUsage(); - deb = argv[i]; + const char *deb = argv[i]; if ((deb_fs = fopen(deb, "r")) == NULL) ds_fail_printf(DS_FAIL_INTERNAL, "could not open %s (%s)", deb, strerror(errno)); @@ -370,7 +369,7 @@ int main(int argc, char *argv[]) { if (!list_only) ds_printf(DS_LEV_VER, "Starting verification for: %s", deb); - if (!checkIsDeb()) + if (!checkIsDeb(deb)) ds_fail_printf(DS_FAIL_INTERNAL, "%s does not appear to be a deb format package", deb); if ((tmpID = getSigKeyID(deb, "origin")) == NULL) diff --git a/debsig.h b/debsig.h index 1b81681..04ad0b8 100644 --- a/debsig.h +++ b/debsig.h @@ -61,8 +61,8 @@ struct policy { }; struct policy *parsePolicyFile(const char *filename); -off_t findMember(const char *name); -off_t checkSigExist(const char *name); +off_t findMember(const char *deb, const char *name); +off_t checkSigExist(const char *deb, const char *name); char *getKeyID (const struct match *mtc); char *getSigKeyID (const char *deb, const char *type); int gpgVerify(const char *data, struct match *mtc, const char *sig); diff --git a/gpg-parse.c b/gpg-parse.c index e051519..ec8abfb 100644 --- a/gpg-parse.c +++ b/gpg-parse.c @@ -104,7 +104,7 @@ char *getSigKeyID (const char *deb, const char *type) { FILE *ds_read, *ds_write; char *c, *ret = NULL; - off_t len = checkSigExist(type); + off_t len = checkSigExist(deb, type); if (!len) return NULL; diff --git a/misc.c b/misc.c index 01a2a2c..053ff2c 100644 --- a/misc.c +++ b/misc.c @@ -43,7 +43,7 @@ void ds_printf(int level, const char *fmt, ...) { } off_t -checkSigExist(const char *name) +checkSigExist(const char *deb, const char *name) { char buf[16]; @@ -54,5 +54,5 @@ checkSigExist(const char *name) snprintf(buf, sizeof(buf) - 1, "_gpg%s", name); - return findMember(buf); + return findMember(deb, buf); } -- 2.0.0.rc0
>From c67e438bf2a1271ecd36c118678b92fc487b5c54 Mon Sep 17 00:00:00 2001 From: Michael Vogt <m...@ubuntu.com> Date: Tue, 19 Aug 2014 10:56:51 +0200 Subject: [PATCH 4/5] remove global deb_fs state --- Makefile | 2 +- ar-parse.c | 2 +- debsig-verify.c | 42 +++++++++++++++++++++++------------------- debsig.h | 4 ++-- gpg-parse.c | 8 ++++++-- misc.c | 4 ++-- 6 files changed, 35 insertions(+), 27 deletions(-) diff --git a/Makefile b/Makefile index 402a302..2dc0256 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ CC = gcc -CFLAGS = -Wall -g -O2 +CFLAGS = -Wall -Wextra -g -O2 #TESTING=1 diff --git a/ar-parse.c b/ar-parse.c index 5146491..5ff558a 100644 --- a/ar-parse.c +++ b/ar-parse.c @@ -39,7 +39,7 @@ * nothing important is going to be zero length anyway, so we treat it as * "non-existant". */ off_t -findMember(const char *deb, const char *name) +findMember(const char *deb, const char *name, FILE *deb_fs) { char magic[SARMAG+1]; struct ar_hdr arh; diff --git a/debsig-verify.c b/debsig-verify.c index 33aaa1a..b19eec9 100644 --- a/debsig-verify.c +++ b/debsig-verify.c @@ -36,15 +36,13 @@ char originID[2048]; char *rootdir = ""; -FILE *deb_fs = NULL; - #define CTAR(x) "control.tar" # x #define DTAR(x) "data.tar" # x char *ver_magic_member = "debian-binary"; char *ver_ctrl_members[] = { CTAR(), CTAR(.gz), CTAR(.xz), 0 }; char *ver_data_members[] = { DTAR(), DTAR(.gz), DTAR(.xz), DTAR(.bz2), DTAR(.lzma), 0 }; -static int checkSelRules(struct group *grp, const char *deb) { +static int checkSelRules(struct group *grp, const char *deb, FILE *deb_fs) { int opt_count = 0; struct match *mtc; int len; @@ -67,7 +65,7 @@ static int checkSelRules(struct group *grp, const char *deb) { * specified, don't we? */ - len = checkSigExist(deb, mtc->name); + len = checkSigExist(deb, mtc->name, deb_fs); /* If the member exists and we reject it, fail now. Also, if it * doesn't exist, and we require it, fail as well. */ @@ -107,7 +105,7 @@ passthrough(FILE *in, FILE *out, off_t len) return len; } -static int verifyGroupRules(struct group *grp, const char *deb) { +static int verifyGroupRules(struct group *grp, const char *deb, FILE *deb_fs) { FILE *fp; char tmp_sig[32] = {'\0'}, tmp_data[32] = {'\0'}; int opt_count = 0, t, i, fd; @@ -134,12 +132,12 @@ static int verifyGroupRules(struct group *grp, const char *deb) { /* Now, let's find all the members we need to check and cat them into a * single temp file. This is what we pass to gpg. */ - if (!(len = findMember(deb, ver_magic_member))) + if (!(len = findMember(deb, ver_magic_member, deb_fs))) goto fail_and_close; len = passthrough(deb_fs, fp, len); for (i = 0; ver_ctrl_members[i]; i++) { - if (!(len = findMember(deb, ver_ctrl_members[i]))) + if (!(len = findMember(deb, ver_ctrl_members[i], deb_fs))) continue; len = passthrough(deb_fs, fp, len); break; @@ -148,7 +146,7 @@ static int verifyGroupRules(struct group *grp, const char *deb) { goto fail_and_close; for (i = 0; ver_data_members[i]; i++) { - if (!(len = findMember(deb, ver_data_members[i]))) + if (!(len = findMember(deb, ver_data_members[i], deb_fs))) continue; len = passthrough(deb_fs, fp, len); break; @@ -173,7 +171,7 @@ static int verifyGroupRules(struct group *grp, const char *deb) { } /* This will also position deb_fs to the start of the member */ - len = checkSigExist(deb, mtc->name); + len = checkSigExist(deb, mtc->name, deb_fs); /* If the member exists and we reject it, die now. Also, if it * doesn't exist, and we require it, die as well. */ @@ -233,35 +231,40 @@ fail_and_close: } static int checkIsDeb(const char *deb) { - int i; + int i, res = 0; const char *member; - if (!findMember(deb, ver_magic_member)) { + FILE *deb_fs = fopen(deb, "r"); + + if (!findMember(deb, ver_magic_member, deb_fs)) { ds_printf(DS_LEV_VER, "Missing archive magic member %s", ver_magic_member); - return 0; + goto out; } for (i = 0; (member = ver_ctrl_members[i]); i++) - if (findMember(deb, member)) + if (findMember(deb, member, deb_fs)) break; if (!member) { ds_printf(DS_LEV_VER, "Missing archive control member, checked:"); for (i = 0; (member = ver_ctrl_members[i]); i++) ds_printf(DS_LEV_VER, " %s", member); - return 0; + goto out; } for (i = 0; (member = ver_data_members[i]); i++) - if (findMember(deb, member)) + if (findMember(deb, member, deb_fs)) break; if (!member) { ds_printf(DS_LEV_VER, "Missing archive data member, checked:"); for (i = 0; (member = ver_data_members[i]); i++) ds_printf(DS_LEV_VER, " %s", member); - return 0; + goto out; } + res = 1; - return 1; + out: + fclose(deb_fs); + return res; } static void outputVersion(void) { @@ -312,6 +315,7 @@ int main(int argc, char *argv[]) { struct dirent *pd_ent; struct group *grp; int i, list_only = 0; + FILE *deb_fs; dpkg_set_progname(argv[0]); @@ -408,7 +412,7 @@ int main(int argc, char *argv[]) { /* Now let's see if this policy's selection is useful for this .deb */ ds_printf(DS_LEV_VER, " Checking Selection group(s)."); for (grp = pol->sels; grp != NULL; grp = grp->next) { - if (!checkSelRules(grp, deb)) { + if (!checkSelRules(grp, deb, deb_fs)) { clear_policy(); ds_printf(DS_LEV_VER, " Selection group failed checks."); pol = NULL; @@ -440,7 +444,7 @@ int main(int argc, char *argv[]) { ds_printf(DS_LEV_VER, " Checking Verification group(s)."); for (grp = pol->vers; grp; grp = grp->next) { - if (!verifyGroupRules(grp, deb)) { + if (!verifyGroupRules(grp, deb, deb_fs)) { ds_printf(DS_LEV_VER, " Verification group failed checks."); ds_fail_printf(DS_FAIL_BADSIG, "Failed verification for %s.", deb); } diff --git a/debsig.h b/debsig.h index 04ad0b8..3d3d0e0 100644 --- a/debsig.h +++ b/debsig.h @@ -61,8 +61,8 @@ struct policy { }; struct policy *parsePolicyFile(const char *filename); -off_t findMember(const char *deb, const char *name); -off_t checkSigExist(const char *deb, const char *name); +off_t findMember(const char *deb, const char *name, FILE *deb_fs); +off_t checkSigExist(const char *deb, const char *name, FILE *deb_fs); char *getKeyID (const struct match *mtc); char *getSigKeyID (const char *deb, const char *type); int gpgVerify(const char *data, struct match *mtc, const char *sig); diff --git a/gpg-parse.c b/gpg-parse.c index ec8abfb..e34a659 100644 --- a/gpg-parse.c +++ b/gpg-parse.c @@ -104,9 +104,12 @@ char *getSigKeyID (const char *deb, const char *type) { FILE *ds_read, *ds_write; char *c, *ret = NULL; - off_t len = checkSigExist(deb, type); - if (!len) + FILE *deb_fs = fopen(deb, "r"); + off_t len = checkSigExist(deb, type, deb_fs); + if (!len) { + fclose(deb_fs); return NULL; + } gpg_init(); @@ -176,6 +179,7 @@ char *getSigKeyID (const char *deb, const char *type) { else ds_printf(DS_LEV_DEBUG, " getSigKeyID: got %s for %s key", ret, type); + fclose(deb_fs); return ret; } diff --git a/misc.c b/misc.c index 053ff2c..03b6bd5 100644 --- a/misc.c +++ b/misc.c @@ -43,7 +43,7 @@ void ds_printf(int level, const char *fmt, ...) { } off_t -checkSigExist(const char *deb, const char *name) +checkSigExist(const char *deb, const char *name, FILE *deb_fs) { char buf[16]; @@ -54,5 +54,5 @@ checkSigExist(const char *deb, const char *name) snprintf(buf, sizeof(buf) - 1, "_gpg%s", name); - return findMember(deb, buf); + return findMember(deb, buf, deb_fs); } -- 2.0.0.rc0
>From d5e35b6c63a28d06f943bf1e69db362a3e4f0296 Mon Sep 17 00:00:00 2001 From: Michael Vogt <m...@ubuntu.com> Date: Tue, 19 Aug 2014 11:17:59 +0200 Subject: [PATCH 5/5] remove global originID state --- debsig-verify.c | 16 ++++++++-------- debsig.h | 7 ++----- gpg-parse.c | 4 ++-- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/debsig-verify.c b/debsig-verify.c index b19eec9..069cc7c 100644 --- a/debsig-verify.c +++ b/debsig-verify.c @@ -33,7 +33,6 @@ #include "debsig.h" -char originID[2048]; char *rootdir = ""; #define CTAR(x) "control.tar" # x @@ -42,7 +41,7 @@ char *ver_magic_member = "debian-binary"; char *ver_ctrl_members[] = { CTAR(), CTAR(.gz), CTAR(.xz), 0 }; char *ver_data_members[] = { DTAR(), DTAR(.gz), DTAR(.xz), DTAR(.bz2), DTAR(.lzma), 0 }; -static int checkSelRules(struct group *grp, const char *deb, FILE *deb_fs) { +static int checkSelRules(const char *originID, struct group *grp, const char *deb, FILE *deb_fs) { int opt_count = 0; struct match *mtc; int len; @@ -54,7 +53,7 @@ static int checkSelRules(struct group *grp, const char *deb, FILE *deb_fs) { /* If we have an ID for this match, check to make sure it exists, and * matches the signature we are about to check. */ if (mtc->id) { - char *m_id = getKeyID(mtc); + char *m_id = getKeyID(originID, mtc); char *d_id = getSigKeyID(deb, mtc->name); if (m_id == NULL || d_id == NULL || strcmp(m_id, d_id)) return 0; @@ -105,7 +104,7 @@ passthrough(FILE *in, FILE *out, off_t len) return len; } -static int verifyGroupRules(struct group *grp, const char *deb, FILE *deb_fs) { +static int verifyGroupRules(const char *originID, struct group *grp, const char *deb, FILE *deb_fs) { FILE *fp; char tmp_sig[32] = {'\0'}, tmp_data[32] = {'\0'}; int opt_count = 0, t, i, fd; @@ -164,7 +163,7 @@ static int verifyGroupRules(struct group *grp, const char *deb, FILE *deb_fs) { /* If we have an ID for this match, check to make sure it exists, and * matches the signature we are about to check. */ if (mtc->id) { - char *m_id = getKeyID(mtc); + char *m_id = getKeyID(originID, mtc); char *d_id = getSigKeyID(deb, mtc->name); if (m_id == NULL || d_id == NULL || strcmp(m_id, d_id)) goto fail_and_close; @@ -195,7 +194,7 @@ static int verifyGroupRules(struct group *grp, const char *deb, FILE *deb_fs) { fclose(fp); /* Now, let's check with gpg on this one */ - t = gpgVerify(tmp_data, mtc, tmp_sig); + t = gpgVerify(originID, tmp_data, mtc, tmp_sig); fd = -1; unlink(tmp_sig); @@ -379,6 +378,7 @@ int main(int argc, char *argv[]) { if ((tmpID = getSigKeyID(deb, "origin")) == NULL) ds_fail_printf(DS_FAIL_NOSIGS, "Origin Signature check failed. This deb might not be signed.\n"); + char originID[2048]; strncpy(originID, tmpID, sizeof(originID)); /* Now we have an ID, let's check the policy to use */ @@ -412,7 +412,7 @@ int main(int argc, char *argv[]) { /* Now let's see if this policy's selection is useful for this .deb */ ds_printf(DS_LEV_VER, " Checking Selection group(s)."); for (grp = pol->sels; grp != NULL; grp = grp->next) { - if (!checkSelRules(grp, deb, deb_fs)) { + if (!checkSelRules(originID, grp, deb, deb_fs)) { clear_policy(); ds_printf(DS_LEV_VER, " Selection group failed checks."); pol = NULL; @@ -444,7 +444,7 @@ int main(int argc, char *argv[]) { ds_printf(DS_LEV_VER, " Checking Verification group(s)."); for (grp = pol->vers; grp; grp = grp->next) { - if (!verifyGroupRules(grp, deb, deb_fs)) { + if (!verifyGroupRules(originID, grp, deb, deb_fs)) { ds_printf(DS_LEV_VER, " Verification group failed checks."); ds_fail_printf(DS_FAIL_BADSIG, "Failed verification for %s.", deb); } diff --git a/debsig.h b/debsig.h index 3d3d0e0..367fb9a 100644 --- a/debsig.h +++ b/debsig.h @@ -63,9 +63,9 @@ struct policy { struct policy *parsePolicyFile(const char *filename); off_t findMember(const char *deb, const char *name, FILE *deb_fs); off_t checkSigExist(const char *deb, const char *name, FILE *deb_fs); -char *getKeyID (const struct match *mtc); +char *getKeyID (const char *originID, const struct match *mtc); char *getSigKeyID (const char *deb, const char *type); -int gpgVerify(const char *data, struct match *mtc, const char *sig); +int gpgVerify(const char *originID, const char *data, struct match *mtc, const char *sig); void clear_policy(void); /* Debugging and failures */ @@ -90,7 +90,4 @@ do { \ } while(0) extern int ds_debug_level; -extern FILE *deb_fs; -extern char *deb; -extern char originID[]; extern char *rootdir; diff --git a/gpg-parse.c b/gpg-parse.c index e34a659..7c5b27c 100644 --- a/gpg-parse.c +++ b/gpg-parse.c @@ -45,7 +45,7 @@ static void gpg_init(void) { gpg_inited = 1; } -char *getKeyID (const struct match *mtc) { +char *getKeyID (const char *originID, const struct match *mtc) { static char buf[2048]; FILE *ds; char *c, *d, *ret = mtc->id; @@ -183,7 +183,7 @@ char *getSigKeyID (const char *deb, const char *type) { return ret; } -int gpgVerify(const char *data, struct match *mtc, const char *sig) { +int gpgVerify(const char *originID, const char *data, struct match *mtc, const char *sig) { char keyring[8192]; int status; pid_t pid; -- 2.0.0.rc0