repo: Add a "gpg-verify-result" signal

Emitted during a pull operation upon GPG verification (if enabled). Applications can connect to this signal to output the verification results if desired.
2025-03-16 10:50:43 +03:00 · 2015-04-13 13:21:17 -04:00 · 2015-04-13 13:21:17 -04:00 · 20076ff201
commit 20076ff201
parent d0770e9993
2 changed files with 56 additions and 6 deletions
--- a/src/libostree/ostree-repo-pull.c
+++ b/src/libostree/ostree-repo-pull.c
@ -962,13 +962,29 @@ scan_commit_object (OtPullData         *pull_data,

  if (pull_data->gpg_verify)
    {
-      if (!ostree_repo_verify_commit (pull_data->repo,
-                                      checksum,
-                                      NULL,
-                                      NULL,
-                                      cancellable,
-                                      error))
+      gs_unref_object OstreeGpgVerifyResult *result = NULL;
+
+      result = ostree_repo_verify_commit_ext (pull_data->repo,
+                                              checksum,
+                                              NULL,
+                                              NULL,
+                                              cancellable,
+                                              error);
+
+      if (result == NULL)
        goto out;
+
+      /* Allow callers to output the results immediately. */
+      g_signal_emit_by_name (pull_data->repo,
+                             "gpg-verify-result",
+                             checksum, result);
+
+      if (ostree_gpg_verify_result_count_valid (result) == 0)
+        {
+          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                       "GPG signatures found, but none are in trusted keyring");
+          goto out;
+        }
    }

  if (!ostree_repo_load_variant (pull_data->repo, OSTREE_OBJECT_TYPE_COMMIT, checksum,
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@ -77,6 +77,10 @@
 */
 typedef struct {
  GObjectClass parent_class;
+
+  void (*gpg_verify_result) (OstreeRepo *self,
+                             const char *checksum,
+                             OstreeGpgVerifyResult *result);
 } OstreeRepoClass;

 enum {
@ -85,6 +89,13 @@ enum {
  PROP_PATH
 };

+enum {
+  GPG_VERIFY_RESULT,
+  LAST_SIGNAL
+};
+
+static guint signals[LAST_SIGNAL] = { 0 };
+
 G_DEFINE_TYPE (OstreeRepo, ostree_repo, G_TYPE_OBJECT)

 GS_DEFINE_CLEANUP_FUNCTION0(GKeyFile*, local_keyfile_unref, g_key_file_unref)
@ -472,6 +483,29 @@ ostree_repo_class_init (OstreeRepoClass *klass)
                                                        "",
                                                        G_TYPE_FILE,
                                                        G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+
+  /**
+   * OstreeRepo::gpg-verify-result:
+   * @self: an #OstreeRepo
+   * @checksum: checksum of the signed object
+   * @result: an #OstreeGpgVerifyResult
+   *
+   * Emitted during a pull operation upon GPG verification (if enabled).
+   * Applications can connect to this signal to output the verification
+   * results if desired.
+   *
+   * The signal will be emitted from whichever #GMainContext is the
+   * thread-default at the point when ostree_repo_pull_with_options()
+   * is called.
+   */
+  signals[GPG_VERIFY_RESULT] = g_signal_new ("gpg-verify-result",
+                                             OSTREE_TYPE_REPO,
+                                             G_SIGNAL_RUN_LAST,
+                                             G_STRUCT_OFFSET (OstreeRepoClass, gpg_verify_result),
+                                             NULL, NULL, NULL,
+                                             G_TYPE_NONE, 2,
+                                             G_TYPE_STRING,
+                                             OSTREE_TYPE_GPG_VERIFY_RESULT);
 }

 static void