shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-03-19 22:50:35 +03:00
Code Issues Projects Releases Wiki Activity

gpg: conditionally build GPG-related code for sign/verification

Browse Source 
Do not build the code related to GPG sign and verification if
GPGME support is disabled.
Public functions return error 'G_IO_ERROR_NOT_SUPPORTED' in case if
gpg-related check is rquested.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Closes: #1889
Approved by: cgwalters
This commit is contained in:
Denis Pynkin 2019-05-21 01:35:25 +03:00 committed by Atomic Bot
parent e187f240fc
commit 0108e9ea49
18 changed files with 225 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libostree/ostree-core-private.h
View File

@ -190,9 +190,11 @@ _ostree_repo_mode_is_bare (OstreeRepoMode mode)
mode == OSTREE_REPO_MODE_BARE_USER_ONLY;
}
#ifndef OSTREE_DISABLE_GPGME
GVariant *
_ostree_detached_metadata_append_gpg_sig (GVariant *existing_metadata,
GBytes *signature_bytes);
#endif
GFile *
_ostree_get_default_sysroot_path (void);

2
src/libostree/ostree-core.c
View File

@ -2462,6 +2462,7 @@ _ostree_compare_timestamps (const char *current_rev,
}
#ifndef OSTREE_DISABLE_GPGME
GVariant *
_ostree_detached_metadata_append_gpg_sig (GVariant *existing_metadata,
GBytes *signature_bytes)
@ -2487,6 +2488,7 @@ _ostree_detached_metadata_append_gpg_sig (GVariant *existing_metadata,
return g_variant_dict_end (&metadata_dict);
}
#endif /* OSTREE_DISABLE_GPGME */
/**
* _ostree_get_default_sysroot_path:

2
src/libostree/ostree-repo-private.h
View File

@ -332,6 +332,7 @@ _ostree_repo_commit_modifier_apply (OstreeRepo *self,
gboolean
_ostree_repo_remote_name_is_file (const char *remote_name);
#ifndef OSTREE_DISABLE_GPGME
OstreeGpgVerifyResult *
_ostree_repo_gpg_verify_with_metadata (OstreeRepo *self,
GBytes *signed_data,
@ -350,6 +351,7 @@ _ostree_repo_verify_commit_internal (OstreeRepo *self,
GFile *extra_keyring,
GCancellable *cancellable,
GError **error);
#endif /* OSTREE_DISABLE_GPGME */
typedef enum {
_OSTREE_REPO_IMPORT_FLAGS_NONE,

55
src/libostree/ostree-repo-pull.c
View File

@ -104,9 +104,9 @@ typedef struct {
gint n_scanned_metadata;
gboolean gpg_verify;
gboolean gpg_verify_summary;
gboolean require_static_deltas;
gboolean disable_static_deltas;
gboolean gpg_verify_summary;
gboolean has_tombstone_commits;
GBytes *summary_data;
@ -1294,7 +1294,7 @@ meta_fetch_on_complete (GObject *object,
if (!_ostree_verify_metadata_object (objtype, checksum, metadata, error))
goto out;
/* For commit objects, check the GPG signature before writing to the repo,
/* For commit objects, check the signature before writing to the repo,
* and also write the .commitpartial to say that we're still processing
* this commit.
*/
@ -1433,6 +1433,7 @@ static_deltapart_fetch_on_complete (GObject *object,
g_clear_pointer (&fetch_data, fetch_static_delta_data_free);
}
#ifndef OSTREE_DISABLE_GPGME
static gboolean
process_verify_result (OtPullData *pull_data,
const char *checksum,
@ -1462,6 +1463,7 @@ process_verify_result (OtPullData *pull_data,
return TRUE;
}
#endif /* OSTREE_DISABLE_GPGME */
static gboolean
gpg_verify_unwritten_commit (OtPullData *pull_data,
@ -1472,6 +1474,7 @@ gpg_verify_unwritten_commit (OtPullData *pull_data,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
if (pull_data->gpg_verify)
{
const char *keyring_remote = NULL;
@ -1494,6 +1497,7 @@ gpg_verify_unwritten_commit (OtPullData *pull_data,
if (!process_verify_result (pull_data, checksum, result, error))
return FALSE;
}
#endif /* OSTREE_DISABLE_GPGME */
return TRUE;
}
@ -1702,6 +1706,7 @@ ostree_repo_resolve_keyring_for_collection (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
gsize i;
g_auto(GStrv) remotes = NULL;
g_autoptr(OstreeRemote) keyring_remote = NULL;
@ -1763,6 +1768,12 @@ ostree_repo_resolve_keyring_for_collection (OstreeRepo *self,
collection_id);
return NULL;
}
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return NULL;
#endif /* OSTREE_DISABLE_GPGME */
}
#ifdef HAVE_LIBCURL_OR_LIBSOUP
@ -1792,6 +1803,7 @@ scan_commit_object (OtPullData *pull_data,
GINT_TO_POINTER (depth));
}
#ifndef OSTREE_DISABLE_GPGME
/* See comment in process_verify_result() - we now gpg check before writing,
* but also ensure we've done it here if not already.
*/
@ -1814,6 +1826,7 @@ scan_commit_object (OtPullData *pull_data,
if (!process_verify_result (pull_data, checksum, result, error))
return FALSE;
}
#endif /* OSTREE_DISABLE_GPGME */
/* If we found a legacy transaction flag, assume we have to scan.
* We always do a scan of dirtree objects; see
@ -2742,6 +2755,7 @@ on_superblock_fetched (GObject *src,
ot_checksum_update_bytes (&hasher, delta_superblock_data);
ot_checksum_get_digest (&hasher, actual_summary_digest, sizeof (actual_summary_digest));
#ifndef OSTREE_DISABLE_GPGME
/* At this point we've GPG verified the data, so in theory
* could trust that they provided the right data, but let's
* make this a hard error.
@ -2752,6 +2766,7 @@ on_superblock_fetched (GObject *src,
"GPG verification enabled, but no summary signatures found (use gpg-verify-summary=false in remote config to disable)");
goto out;
}
#endif /* OSTREE_DISABLE_GPGME */
if (expected_summary_digest && memcmp (expected_summary_digest, actual_summary_digest, sizeof (actual_summary_digest)))
{
@ -3618,6 +3633,17 @@ ostree_repo_pull_with_options (OstreeRepo *self,
pull_data->remote_name = g_strdup (pull_data->remote_refspec_name);
}
#ifdef OSTREE_DISABLE_GPGME
/* Explicitly fail here if gpg verification is requested and we have no GPG support */
if (opt_gpg_verify_set || opt_gpg_verify_summary_set)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
goto out;
}
#endif
g_return_val_if_fail (OSTREE_IS_REPO (self), FALSE);
g_return_val_if_fail (pull_data->maxdepth >= -1, FALSE);
g_return_val_if_fail (!pull_data->timestamp_check || pull_data->maxdepth == 0, FALSE);
@ -3745,6 +3771,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
g_free (pull_data->remote_name);
pull_data->remote_name = g_strdup (remote_name_or_baseurl);
#ifndef OSTREE_DISABLE_GPGME
/* Fetch GPG verification settings from remote if it wasn't already
* explicitly set in the options. */
if (!opt_gpg_verify_set)
@ -3756,6 +3783,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
if (!ostree_repo_remote_get_gpg_verify_summary (self, pull_data->remote_name,
&pull_data->gpg_verify_summary, error))
goto out;
#endif /* OSTREE_DISABLE_GPGME */
/* NOTE: If changing this, see the matching implementation in
* ostree-sysroot-upgrader.c
@ -4060,12 +4088,14 @@ ostree_repo_pull_with_options (OstreeRepo *self,
goto out;
}
#ifndef OSTREE_DISABLE_GPGME
if (!bytes_summary && pull_data->gpg_verify_summary)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND,
"GPG verification enabled, but no summary found (use gpg-verify-summary=false in remote config to disable)");
goto out;
}
#endif /* OSTREE_DISABLE_GPGME */
if (!bytes_summary && pull_data->require_static_deltas)
{
@ -4074,6 +4104,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
goto out;
}
#ifndef OSTREE_DISABLE_GPGME
if (!bytes_sig && pull_data->gpg_verify_summary)
{
g_set_error (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_NO_SIGNATURE,
@ -4132,6 +4163,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
}
}
}
#endif /* OSTREE_DISABLE_GPGME */
if (bytes_summary)
{
@ -4614,6 +4646,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
pull_data->remote_name, g_hash_table_size (requested_refs_to_fetch));
const char *gpg_verify_state;
#ifndef OSTREE_DISABLE_GPGME
if (pull_data->gpg_verify_summary)
{
if (pull_data->gpg_verify)
@ -4624,6 +4657,11 @@ ostree_repo_pull_with_options (OstreeRepo *self,
else
gpg_verify_state = (pull_data->gpg_verify ? "commit" : "disabled");
g_string_append_printf (msg, "\nsecurity: GPG: %s ", gpg_verify_state);
#else
gpg_verify_state = "disabled";
g_string_append_printf (msg, "\nsecurity: %s ", gpg_verify_state);
#endif /* OSTREE_DISABLE_GPGME */
OstreeFetcherURI *first_uri = pull_data->meta_mirrorlist->pdata[0];
g_autofree char *first_scheme = _ostree_fetcher_uri_get_scheme (first_uri);
if (g_str_has_prefix (first_scheme, "http"))
@ -5970,7 +6008,11 @@ ostree_repo_pull_from_remotes_async (OstreeRepo *self,
g_variant_dict_insert (&local_options_dict, "flags", "i", OSTREE_REPO_PULL_FLAGS_UNTRUSTED | flags);
g_variant_dict_insert_value (&local_options_dict, "collection-refs", g_variant_builder_end (&refs_to_pull_builder));
#ifndef OSTREE_DISABLE_GPGME
g_variant_dict_insert (&local_options_dict, "gpg-verify", "b", TRUE);
#else
g_variant_dict_insert (&local_options_dict, "gpg-verify", "b", FALSE);
#endif /* OSTREE_DISABLE_GPGME */
g_variant_dict_insert (&local_options_dict, "gpg-verify-summary", "b", FALSE);
g_variant_dict_insert (&local_options_dict, "inherit-transaction", "b", TRUE);
if (result->remote->refspec_name != NULL)
@ -6118,8 +6160,10 @@ ostree_repo_remote_fetch_summary_with_options (OstreeRepo *self,
g_autofree char *metalink_url_string = NULL;
g_autoptr(GBytes) summary = NULL;
g_autoptr(GBytes) signatures = NULL;
gboolean ret = FALSE;
#ifndef OSTREE_DISABLE_GPGME
gboolean gpg_verify_summary;
#endif
gboolean ret = FALSE;
gboolean summary_is_from_cache;
g_return_val_if_fail (OSTREE_REPO (self), FALSE);
@ -6140,6 +6184,7 @@ ostree_repo_remote_fetch_summary_with_options (OstreeRepo *self,
error))
goto out;
#ifndef OSTREE_DISABLE_GPGME
if (!ostree_repo_remote_get_gpg_verify_summary (self, name, &gpg_verify_summary, error))
goto out;
@ -6193,6 +6238,10 @@ ostree_repo_remote_fetch_summary_with_options (OstreeRepo *self,
}
}
#else
g_message ("%s: GPG feature is disabled in a build time", __FUNCTION__);
#endif /* OSTREE_DISABLE_GPGME */
if (out_summary != NULL)
*out_summary = g_steal_pointer (&summary);

97
src/libostree/ostree-repo.c
View File

@ -139,9 +139,11 @@ G_STATIC_ASSERT(sizeof(OstreeRepoPruneOptions) ==
typedef struct {
GObjectClass parent_class;
#ifndef OSTREE_DISABLE_GPGME
void (*gpg_verify_result) (OstreeRepo *self,
const char *checksum,
OstreeGpgVerifyResult *result);
#endif
} OstreeRepoClass;
enum {
@ -157,7 +159,9 @@ enum {
LAST_SIGNAL
};
#ifndef OSTREE_DISABLE_GPGME
static guint signals[LAST_SIGNAL] = { 0 };
#endif
G_DEFINE_TYPE (OstreeRepo, ostree_repo, G_TYPE_OBJECT)
@ -1167,6 +1171,7 @@ ostree_repo_class_init (OstreeRepoClass *klass)
NULL,
G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
#ifndef OSTREE_DISABLE_GPGME
/**
* OstreeRepo::gpg-verify-result:
* @self: an #OstreeRepo
@ -1189,23 +1194,27 @@ ostree_repo_class_init (OstreeRepoClass *klass)
G_TYPE_NONE, 2,
G_TYPE_STRING,
OSTREE_TYPE_GPG_VERIFY_RESULT);
#endif /* OSTREE_DISABLE_GPGME */
}
static void
ostree_repo_init (OstreeRepo *self)
{
static gsize gpgme_initialized;
const GDebugKey test_error_keys[] = {
{ "pre-commit", OSTREE_REPO_TEST_ERROR_PRE_COMMIT },
{ "invalid-cache", OSTREE_REPO_TEST_ERROR_INVALID_CACHE },
};
#ifndef OSTREE_DISABLE_GPGME
static gsize gpgme_initialized;
if (g_once_init_enter (&gpgme_initialized))
{
gpgme_check_version (NULL);
gpgme_set_locale (NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL));
g_once_init_leave (&gpgme_initialized, 1);
}
#endif
self->test_error_flags = g_parse_debug_string (g_getenv ("OSTREE_REPO_TEST_ERROR"),
test_error_keys, G_N_ELEMENTS (test_error_keys));
@ -2017,8 +2026,17 @@ ostree_repo_remote_get_gpg_verify (OstreeRepo *self,
return TRUE;
}
return ostree_repo_get_remote_boolean_option (self, name, "gpg-verify",
#ifndef OSTREE_DISABLE_GPGME
return ostree_repo_get_remote_boolean_option (self, name, "gpg-verify",
TRUE, out_gpg_verify, error);
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
if (out_gpg_verify != NULL)
*out_gpg_verify = FALSE;
return FALSE;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -2040,8 +2058,17 @@ ostree_repo_remote_get_gpg_verify_summary (OstreeRepo *self,
gboolean *out_gpg_verify_summary,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
return ostree_repo_get_remote_boolean_option (self, name, "gpg-verify-summary",
FALSE, out_gpg_verify_summary, error);
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
if (out_gpg_verify_summary != NULL)
*out_gpg_verify_summary = FALSE;
return FALSE;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -2074,6 +2101,7 @@ ostree_repo_remote_gpg_import (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
OstreeRemote *remote;
g_auto(gpgme_ctx_t) source_context = NULL;
g_auto(gpgme_ctx_t) target_context = NULL;
@ -2313,6 +2341,12 @@ out:
g_prefix_error (error, "GPG: ");
return ret;
#else /* OSTREE_DISABLE_GPGME */
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return FALSE;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -4904,6 +4938,7 @@ ostree_repo_append_gpg_signature (OstreeRepo *self,
error))
return FALSE;
#ifndef OSTREE_DISABLE_GPGME
g_autoptr(GVariant) new_metadata =
_ostree_detached_metadata_append_gpg_sig (metadata, signature_bytes);
@ -4915,8 +4950,15 @@ ostree_repo_append_gpg_signature (OstreeRepo *self,
return FALSE;
return TRUE;
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return FALSE;
#endif /* OSTREE_DISABLE_GPGME */
}
#ifndef OSTREE_DISABLE_GPGME
static gboolean
sign_data (OstreeRepo *self,
GBytes *input_data,
@ -4977,6 +5019,7 @@ sign_data (OstreeRepo *self,
*out_signature = g_mapped_file_get_bytes (signature_file);
return TRUE;
}
#endif /* OSTREE_DISABLE_GPGME */
/**
* ostree_repo_sign_commit:
@ -4997,6 +5040,7 @@ ostree_repo_sign_commit (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
g_autoptr(GBytes) commit_data = NULL;
g_autoptr(GBytes) signature = NULL;
@ -5060,6 +5104,10 @@ ostree_repo_sign_commit (OstreeRepo *self,
return FALSE;
return TRUE;
#else
/* FIXME: Return false until refactoring */
return FALSE;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -5106,6 +5154,7 @@ ostree_repo_add_gpg_signature_summary (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
glnx_autofd int fd = -1;
if (!glnx_openat_rdonly (self->repo_dir_fd, "summary", TRUE, &fd, error))
return FALSE;
@ -5148,8 +5197,15 @@ ostree_repo_add_gpg_signature_summary (OstreeRepo *self,
return FALSE;
return TRUE;
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return FALSE;
#endif /* OSTREE_DISABLE_GPGME */
}
#ifndef OSTREE_DISABLE_GPGME
/* Special remote for _ostree_repo_gpg_verify_with_metadata() */
static const char *OSTREE_ALL_REMOTES = "__OSTREE_ALL_REMOTES__";
@ -5383,6 +5439,7 @@ _ostree_repo_verify_commit_internal (OstreeRepo *self,
keyringdir, extra_keyring,
cancellable, error);
}
#endif /* OSTREE_DISABLE_GPGME */
/**
* ostree_repo_verify_commit:
@ -5406,6 +5463,7 @@ ostree_repo_verify_commit (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
g_autoptr(OstreeGpgVerifyResult) result = NULL;
result = ostree_repo_verify_commit_ext (self, commit_checksum,
@ -5415,6 +5473,13 @@ ostree_repo_verify_commit (OstreeRepo *self,
if (!ostree_gpg_verify_result_require_valid_signature (result, error))
return glnx_prefix_error (error, "Commit %s", commit_checksum);
return TRUE;
#else
/* FIXME: Return false until refactoring */
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return FALSE;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -5439,6 +5504,7 @@ ostree_repo_verify_commit_ext (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
return _ostree_repo_verify_commit_internal (self,
commit_checksum,
NULL,
@ -5446,6 +5512,12 @@ ostree_repo_verify_commit_ext (OstreeRepo *self,
extra_keyring,
cancellable,
error);
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return NULL;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -5471,6 +5543,7 @@ ostree_repo_verify_commit_for_remote (OstreeRepo *self,
GCancellable *cancellable,
GError **error)
{
#ifndef OSTREE_DISABLE_GPGME
return _ostree_repo_verify_commit_internal (self,
commit_checksum,
remote_name,
@ -5478,6 +5551,12 @@ ostree_repo_verify_commit_for_remote (OstreeRepo *self,
NULL,
cancellable,
error);
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return NULL;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -5515,6 +5594,7 @@ ostree_repo_gpg_verify_data (OstreeRepo *self,
g_return_val_if_fail (data != NULL, NULL);
g_return_val_if_fail (signatures != NULL, NULL);
#ifndef OSTREE_DISABLE_GPGME
return _ostree_repo_gpg_verify_data_internal (self,
(remote_name != NULL) ? remote_name : OSTREE_ALL_REMOTES,
data,
@ -5523,6 +5603,12 @@ ostree_repo_gpg_verify_data (OstreeRepo *self,
extra_keyring,
cancellable,
error);
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return NULL;
#endif /* OSTREE_DISABLE_GPGME */
}
/**
@ -5557,6 +5643,7 @@ ostree_repo_verify_summary (OstreeRepo *self,
signatures_variant = g_variant_new_from_bytes (OSTREE_SUMMARY_SIG_GVARIANT_FORMAT,
signatures, FALSE);
#ifndef OSTREE_DISABLE_GPGME
return _ostree_repo_gpg_verify_with_metadata (self,
summary,
signatures_variant,
@ -5564,6 +5651,12 @@ ostree_repo_verify_summary (OstreeRepo *self,
NULL, NULL,
cancellable,
error);
#else
g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
"'%s': GPG feature is disabled in a build time",
__FUNCTION__);
return NULL;
#endif /* OSTREE_DISABLE_GPGME */
}
/* Add an entry for a @ref ↦ @checksum mapping to an `a(s(t@ay@a{sv}))`

68
src/libostree/ostree-repo.h
View File

@ -199,18 +199,6 @@ gboolean ostree_repo_remote_get_url (OstreeRepo *self,
char **out_url,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_remote_get_gpg_verify (OstreeRepo *self,
const char *name,
gboolean *out_gpg_verify,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_remote_get_gpg_verify_summary (OstreeRepo *self,
const char *name,
gboolean *out_gpg_verify_summary,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_get_remote_option (OstreeRepo *self,
const char *remote_name,
@ -234,14 +222,6 @@ gboolean ostree_repo_get_remote_boolean_option (OstreeRepo *self,
gboolean *out_value,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_remote_gpg_import (OstreeRepo *self,
const char *name,
GInputStream *source_stream,
const char * const *key_ids,
guint *out_imported,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_remote_fetch_summary (OstreeRepo *self,
@ -1337,20 +1317,6 @@ gboolean ostree_repo_sign_delta (OstreeRepo *self,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
gboolean
ostree_repo_add_gpg_signature_summary (OstreeRepo *self,
const gchar **key_id,
const gchar *homedir,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_append_gpg_signature (OstreeRepo *self,
const gchar *commit_checksum,
GBytes *signature_bytes,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_verify_commit (OstreeRepo *self,
@ -1360,6 +1326,40 @@ gboolean ostree_repo_verify_commit (OstreeRepo *self,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_remote_get_gpg_verify (OstreeRepo *self,
const char *name,
gboolean *out_gpg_verify,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_remote_get_gpg_verify_summary (OstreeRepo *self,
const char *name,
gboolean *out_gpg_verify_summary,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_remote_gpg_import (OstreeRepo *self,
const char *name,
GInputStream *source_stream,
const char * const *key_ids,
guint *out_imported,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_add_gpg_signature_summary (OstreeRepo *self,
const gchar **key_id,
const gchar *homedir,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
gboolean ostree_repo_append_gpg_signature (OstreeRepo *self,
const gchar *commit_checksum,
GBytes *signature_bytes,
GCancellable *cancellable,
GError **error);
_OSTREE_PUBLIC
OstreeGpgVerifyResult * ostree_repo_verify_commit_ext (OstreeRepo *self,
const gchar *commit_checksum,

5
src/libotutil/otutil.h
View File

@ -60,6 +60,9 @@
#include <ot-variant-utils.h>
#include <ot-variant-builder.h>
#include <ot-checksum-utils.h>
#include <ot-gpg-utils.h>
#include <ot-checksum-instream.h>
#include <ot-tool-util.h>
#ifndef OSTREE_DISABLE_GPGME
#include <ot-gpg-utils.h>
#endif

2
src/ostree/main.c
View File

@ -72,9 +72,11 @@ static OstreeCommand commands[] = {
{ "fsck", OSTREE_BUILTIN_FLAG_NONE,
ostree_builtin_fsck,
"Check the repository for consistency" },
#ifndef OSTREE_DISABLE_GPGME
{ "gpg-sign", OSTREE_BUILTIN_FLAG_NONE,
ostree_builtin_gpg_sign,
"Sign a commit" },
#endif /* OSTREE_DISABLE_GPGME */
{ "init", OSTREE_BUILTIN_FLAG_NO_CHECK,
ostree_builtin_init,
"Initialize a new empty repository" },

4
src/ostree/ot-admin-builtin-status.c
View File

@ -35,6 +35,7 @@ static GOptionEntry options[] = {
{ NULL }
};
#ifndef OSTREE_DISABLE_GPGME
static gboolean
deployment_get_gpg_verify (OstreeDeployment *deployment,
OstreeRepo *repo)
@ -61,6 +62,7 @@ deployment_get_gpg_verify (OstreeDeployment *deployment,
return gpg_verify;
}
#endif /* OSTREE_DISABLE_GPGME */
static gboolean
@ -136,6 +138,7 @@ deployment_print_status (OstreeSysroot *sysroot,
g_print (" `- %s\n", source_title);
}
#ifndef OSTREE_DISABLE_GPGME
if (deployment_get_gpg_verify (deployment, repo))
{
g_autoptr(GString) output_buffer = g_string_sized_new (256);
@ -168,6 +171,7 @@ deployment_print_status (OstreeSysroot *sysroot,
g_print ("%s", output_buffer->str);
}
#endif /* OSTREE_DISABLE_GPGME */
return TRUE;
}

6
src/ostree/ot-builtin-commit.c
View File

@ -60,8 +60,10 @@ static char **opt_trees;
static gint opt_owner_uid = -1;
static gint opt_owner_gid = -1;
static gboolean opt_table_output;
#ifndef OSTREE_DISABLE_GPGME
static char **opt_key_ids;
static char *opt_gpg_homedir;
#endif
static gboolean opt_generate_sizes;
static gboolean opt_disable_fsync;
static char *opt_timestamp;
@ -114,8 +116,10 @@ static GOptionEntry options[] = {
{ "skip-list", 0, 0, G_OPTION_ARG_FILENAME, &opt_skiplist_file, "File containing list of files to skip", "PATH" },
{ "consume", 0, 0, G_OPTION_ARG_NONE, &opt_consume, "Consume (delete) content after commit (for local directories)", NULL },
{ "table-output", 0, 0, G_OPTION_ARG_NONE, &opt_table_output, "Output more information in a KEY: VALUE format", NULL },
#ifndef OSTREE_DISABLE_GPGME
{ "gpg-sign", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_key_ids, "GPG Key ID to sign the commit with", "KEY-ID"},
{ "gpg-homedir", 0, 0, G_OPTION_ARG_FILENAME, &opt_gpg_homedir, "GPG Homedir to use when looking for keyrings", "HOMEDIR"},
#endif
{ "generate-sizes", 0, 0, G_OPTION_ARG_NONE, &opt_generate_sizes, "Generate size information along with commit metadata", NULL },
{ "disable-fsync", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_NONE, &opt_disable_fsync, "Do not invoke fsync()", NULL },
{ "fsync", 0, 0, G_OPTION_ARG_CALLBACK, parse_fsync_cb, "Specify how to invoke fsync()", "POLICY" },
@ -813,6 +817,7 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
goto out;
}
#ifndef OSTREE_DISABLE_GPGME
if (opt_key_ids)
{
char **iter;
@ -830,6 +835,7 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
goto out;
}
}
#endif
if (opt_branch)
ostree_repo_transaction_set_ref (repo, NULL, opt_branch, commit_checksum);

4
src/ostree/ot-builtin-pull.c
View File

@ -77,6 +77,7 @@ static GOptionEntry options[] = {
{ NULL }
};
#ifndef OSTREE_DISABLE_GPGME
static void
gpg_verify_result_cb (OstreeRepo *repo,
const char *checksum,
@ -93,6 +94,7 @@ gpg_verify_result_cb (OstreeRepo *repo,
glnx_console_lock (console);
}
#endif /* OSTREE_DISABLE_GPGME */
static gboolean printed_console_progress;
@ -360,9 +362,11 @@ ostree_builtin_pull (int argc, char **argv, OstreeCommandInvocation *invocation,
if (console.is_tty)
{
#ifndef OSTREE_DISABLE_GPGME
signal_handler_id = g_signal_connect (repo, "gpg-verify-result",
G_CALLBACK (gpg_verify_result_cb),
&console);
#endif /* OSTREE_DISABLE_GPGME */
}
options = g_variant_ref_sink (g_variant_builder_end (&builder));

2
src/ostree/ot-builtin-remote.c
View File

@ -40,9 +40,11 @@ static OstreeCommand remote_subcommands[] = {
{ "list", OSTREE_BUILTIN_FLAG_NONE,
ot_remote_builtin_list,
"List remote repository names" },
#ifndef OSTREE_DISABLE_GPGME
{ "gpg-import", OSTREE_BUILTIN_FLAG_NONE,
ot_remote_builtin_gpg_import,
"Import GPG keys" },
#endif /* OSTREE_DISABLE_GPGME */
#ifdef HAVE_LIBCURL_OR_LIBSOUP
{ "add-cookie", OSTREE_BUILTIN_FLAG_NONE,
ot_remote_builtin_add_cookie,

2
src/ostree/ot-builtin-show.c
View File

@ -164,6 +164,7 @@ print_object (OstreeRepo *repo,
flags |= OSTREE_DUMP_UNSWAPPED;
ot_dump_object (objtype, checksum, variant, flags);
#ifndef OSTREE_DISABLE_GPGME
if (objtype == OSTREE_OBJECT_TYPE_COMMIT)
{
g_autoptr(OstreeGpgVerifyResult) result = NULL;
@ -207,6 +208,7 @@ print_object (OstreeRepo *repo,
g_print ("%s", buffer->str);
}
}
#endif /* OSTREE_DISABLE_GPGME */
return TRUE;
}

2
src/ostree/ot-builtin-summary.c
View File

@ -193,6 +193,7 @@ ostree_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invocati
if (!ostree_repo_regenerate_summary (repo, additional_metadata, cancellable, error))
return FALSE;
#ifndef OSTREE_DISABLE_GPGME
if (opt_key_ids)
{
if (!ostree_repo_add_gpg_signature_summary (repo,
@ -202,6 +203,7 @@ ostree_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invocati
error))
return FALSE;
}
#endif
}
else if (opt_view || opt_raw)
{

2
src/ostree/ot-builtins.h
View File

@ -41,7 +41,9 @@ BUILTINPROTO(diff);
BUILTINPROTO(export);
BUILTINPROTO(find_remotes);
BUILTINPROTO(create_usb);
#ifndef OSTREE_DISABLE_GPGME
BUILTINPROTO(gpg_sign);
#endif
BUILTINPROTO(init);
BUILTINPROTO(log);
BUILTINPROTO(pull);

2
src/ostree/ot-main.c
View File

@ -491,6 +491,7 @@ ostree_ensure_repo_writable (OstreeRepo *repo,
return TRUE;
}
#ifndef OSTREE_DISABLE_GPGME
void
ostree_print_gpg_verify_result (OstreeGpgVerifyResult *result)
{
@ -511,6 +512,7 @@ ostree_print_gpg_verify_result (OstreeGpgVerifyResult *result)
g_print ("%s", buffer->str);
}
#endif /* OSTREE_DISABLE_GPGME */
gboolean
ot_enable_tombstone_commits (OstreeRepo *repo, GError **error)

4
src/ostree/ot-remote-builtin-add.c
View File

@ -133,10 +133,12 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio
subkey, g_variant_new_variant (g_variant_new_string (subvalue)));
}
#ifndef OSTREE_DISABLE_GPGME
if (opt_no_gpg_verify)
g_variant_builder_add (optbuilder, "{s@v}",
"gpg-verify",
g_variant_new_variant (g_variant_new_boolean (FALSE)));
#endif /* OSTREE_DISABLE_GPGME */
if (opt_collection_id != NULL)
g_variant_builder_add (optbuilder, "{s@v}", "collection-id",
@ -157,6 +159,7 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio
cancellable, error))
goto out;
#ifndef OSTREE_DISABLE_GPGME
/* This is just a convenience option and is not as flexible as the full
* "ostree remote gpg-import" command. It imports all keys from a file,
* which is likely the most common case.
@ -183,6 +186,7 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio
g_print ("Imported %u GPG key%s to remote \"%s\"\n",
imported, (imported == 1) ? "" : "s", remote_name);
}
#endif /* OSTREE_DISABLE_GPGME */
ret = TRUE;
out:

4
src/ostree/ot-remote-builtin-summary.c
View File

@ -51,7 +51,9 @@ ot_remote_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invoc
g_autoptr(GBytes) summary_bytes = NULL;
g_autoptr(GBytes) signature_bytes = NULL;
OstreeDumpFlags flags = OSTREE_DUMP_NONE;
#ifndef OSTREE_DISABLE_GPGME
gboolean gpg_verify_summary;
#endif
gboolean ret = FALSE;
context = g_option_context_new ("NAME");
@ -92,6 +94,7 @@ ot_remote_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invoc
ot_dump_summary_bytes (summary_bytes, flags);
#ifndef OSTREE_DISABLE_GPGME
if (!ostree_repo_remote_get_gpg_verify_summary (repo, remote_name,
&gpg_verify_summary,
error))
@ -124,6 +127,7 @@ ot_remote_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invoc
g_print ("\n");
ostree_print_gpg_verify_result (result);
}
#endif /* OSTREE_DISABLE_GPGME */
ret = TRUE;
out: