These patches will add VerifySig option to pacman.conf. VerifySig takes options Always, Optional or Never
[repo-name]
Server = ServerName
VerifySig = Always
Include = IncludePath
>From 77be2c5cbfa3c7a750fe46d115c23096d2cf51e5 Mon Sep 17 00:00:00 2001
From: shankar <[email protected]>
Date: Wed, 17 Dec 2008 20:52:21 +0530
Subject: [PATCH] changed gpg verification logic
Signed-off-by: shankar <[email protected]>
---
lib/libalpm/signing.c | 3 +++
lib/libalpm/sync.c | 26 ++++++++++++++++++++++----
2 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
index ddb89bc..0835b5e 100644
--- a/lib/libalpm/signing.c
+++ b/lib/libalpm/signing.c
@@ -166,6 +166,9 @@ pgpcheck_t _alpm_gpgme_checksig(const char
*pkgpath, const pmpgpsig_t *sig)
if(gpgsig->summary & GPGME_SIGSUM_VALID) {
/* good signature, continue */
+ ret = PM_PGP_SIG_VALID;
+ _alpm_log(PM_LOG_DEBUG, _("Package %s has a valid
signature.\n"),
+ pkgpath);
} else if(gpgsig->summary & GPGME_SIGSUM_GREEN) {
/* 'green' signature, not sure what to do here */
_alpm_log(PM_LOG_WARNING, _("Package %s has a green
signature.\n"),
diff --git a/lib/libalpm/sync.c b/lib/libalpm/sync.c
index 24f2b98..f658ae2 100644
--- a/lib/libalpm/sync.c
+++ b/lib/libalpm/sync.c
@@ -901,12 +901,30 @@ int _alpm_sync_commit(pmtrans_t *trans, pmdb_t
*db_local, alpm_list_t **data)
*data = alpm_list_add(*data, strdup(filename));
}
/* check PGP signature next */
- if(_alpm_gpgme_checksig(filepath, pgpsig) ==
PM_PGP_SIG_INVALID) {
- errors++;
- *data = alpm_list_add(*data, strdup(filename));
+ pmdb_t *sdb = alpm_pkg_get_db(spkg);
+
+ if(sdb->verify_gpg == PM_GPG_VERIFY_ALWAYS) {
+ if(_alpm_gpgme_checksig(filepath, pgpsig) !=
PM_PGP_SIG_VALID) {
+ errors++;
+ *data = alpm_list_add(*data, strdup(filename));
+ _alpm_log(PM_LOG_ERROR, _("Invalid GPG
signature on package:
%s\n"),alpm_pkg_get_name(spkg));
+ }
+ FREE(filepath);
+ } else if (sdb->verify_gpg == PM_GPG_VERIFY_OPTIONAL) {
+ pgpcheck_t ret1 = _alpm_gpgme_checksig(filepath,
pgpsig);
+
+ if(ret1 == PM_PGP_SIG_MISSING) {
+ /*no problems here*/
+ } else if (ret1 != PM_PGP_SIG_VALID) {
+ errors++;
+ *data = alpm_list_add(*data, strdup(filename));
+ _alpm_log(PM_LOG_ERROR, _("Invalid GPG
signature on package:
%s\n"),alpm_pkg_get_name(spkg));
+ }
+ FREE(filepath);
}
- FREE(filepath);
}
+
+
if(errors) {
pm_errno = PM_ERR_PKG_INVALID;
goto error;
--
1.6.0.4
0001-Added-gpg-verification-options-per-repo-to-the-confi.patch
Description: Binary data
0002-changed-gpg-verification-logic.patch
Description: Binary data
_______________________________________________ pacman-dev mailing list [email protected] http://archlinux.org/mailman/listinfo/pacman-dev
