This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=139dfc4c78593d995610c0aa180300a9a7dd94ac commit 139dfc4c78593d995610c0aa180300a9a7dd94ac Author: Guillem Jover <[email protected]> AuthorDate: Wed May 1 23:20:38 2019 +0200 Dpkg::OpenPGP: Refactor signature verification into a new function --- debian/changelog | 1 + scripts/Dpkg/OpenPGP.pm | 40 +++++++++++++++++++++++++++++++++++ scripts/Dpkg/Source/Package.pm | 47 ++++++++---------------------------------- 3 files changed, 50 insertions(+), 38 deletions(-) diff --git a/debian/changelog b/debian/changelog index 0418c6fe6..42e536756 100644 --- a/debian/changelog +++ b/debian/changelog @@ -21,6 +21,7 @@ dpkg (1.20.0) UNRELEASED; urgency=medium * Code internals: - Dpkg::Source::Package: Refactor original tarball handling. - perl: Use File::Copy instead of spawning mv/cp commands. + - Dpkg::OpenPGP: Refactor signature verification into a new function. * Build system: - Bump minimal Perl version to 5.24.1. diff --git a/scripts/Dpkg/OpenPGP.pm b/scripts/Dpkg/OpenPGP.pm index f719e6e4e..234c90a4d 100644 --- a/scripts/Dpkg/OpenPGP.pm +++ b/scripts/Dpkg/OpenPGP.pm @@ -18,6 +18,7 @@ package Dpkg::OpenPGP; use strict; use warnings; +use POSIX qw(:sys_wait_h); use Exporter qw(import); use File::Copy; @@ -80,4 +81,43 @@ sub openpgp_sig_to_asc return; } +sub verify_signature { + my ($sig, %opts) = @_; + + $opts{require_valid_signature} //= 1; + + my @exec; + if (find_command('gpgv')) { + push @exec, 'gpgv'; + } elsif (find_command('gpg')) { + push @exec, 'gpg', '--no-default-keyring', '-q', '--verify'; + } elsif ($opts{require_valid_signature}) { + error(g_('cannot verify signature on %s since GnuPG is not installed'), + $sig); + } else { + warning(g_('cannot verify signature on %s since GnuPG is not installed'), + $sig); + return; + } + foreach my $keyring (@{$opts{keyrings}}) { + push @exec, '--keyring', $keyring; + } + push @exec, $sig; + + my ($stdout, $stderr); + spawn(exec => \@exec, wait_child => 1, nocheck => 1, timeout => 10, + to_string => \$stdout, error_to_string => \$stderr); + if (WIFEXITED($?)) { + my $status = WEXITSTATUS($?); + print { *STDERR } "$stdout$stderr" if $status; + if ($status == 1 or ($status && $opts{require_valid_signature})) { + error(g_('failed to verify signature on %s'), $sig); + } elsif ($status) { + warning(g_('failed to verify signature on %s'), $sig); + } + } else { + subprocerr("@exec"); + } +} + 1; diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm index e800a6392..e7c4fb22d 100644 --- a/scripts/Dpkg/Source/Package.pm +++ b/scripts/Dpkg/Source/Package.pm @@ -58,6 +58,7 @@ use Dpkg::Path qw(check_files_are_the_same find_command); use Dpkg::IPC; use Dpkg::Vendor qw(run_vendor_hook); use Dpkg::Source::Format; +use Dpkg::OpenPGP; my $diff_ignore_default_regex = ' # Ignore general backup files @@ -427,48 +428,18 @@ then any problem will result in a fatal error. sub check_signature { my $self = shift; my $dsc = $self->get_filename(); - my @exec; + my @keyrings; - if (find_command('gpgv')) { - push @exec, 'gpgv'; - } elsif (find_command('gpg')) { - push @exec, 'gpg', '--no-default-keyring', '-q', '--verify'; + if (length $ENV{HOME} and -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") { + push @keyrings, "$ENV{HOME}/.gnupg/trustedkeys.gpg"; } - if (scalar(@exec)) { - if (length $ENV{HOME} and -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") { - push @exec, '--keyring', "$ENV{HOME}/.gnupg/trustedkeys.gpg"; - } - foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) { - if (-r $vendor_keyring) { - push @exec, '--keyring', $vendor_keyring; - } - } - push @exec, $dsc; - - my ($stdout, $stderr); - spawn(exec => \@exec, wait_child => 1, nocheck => 1, - to_string => \$stdout, error_to_string => \$stderr, - timeout => 10); - if (WIFEXITED($?)) { - my $gpg_status = WEXITSTATUS($?); - print { *STDERR } "$stdout$stderr" if $gpg_status; - if ($gpg_status == 1 or ($gpg_status && - $self->{options}{require_valid_signature})) - { - error(g_('failed to verify signature on %s'), $dsc); - } elsif ($gpg_status) { - warning(g_('failed to verify signature on %s'), $dsc); - } - } else { - subprocerr("@exec"); - } - } else { - if ($self->{options}{require_valid_signature}) { - error(g_('cannot verify signature on %s since GnuPG is not installed'), $dsc); - } else { - warning(g_('cannot verify signature on %s since GnuPG is not installed'), $dsc); + foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) { + if (-r $vendor_keyring) { + push @keyrings, $vendor_keyring; } } + + Dpkg::OpenPGP::verify_signature($dsc, keyrings => \@keyrings); } sub describe_cmdline_options { -- Dpkg.Org's dpkg
