signing: Change API to create instances directly

This cleans up the verification code; it was weird how
we'd get the list of known names and then try to create
an instance from it (and throw an error if that failed, which
couldn't happen).
This commit is contained in:
Colin Walters 2020-05-10 13:20:50 +00:00
parent f572206f15
commit a9a81f3a29
6 changed files with 34 additions and 57 deletions

View File

@ -709,7 +709,7 @@ ostree_kernel_args_to_string
<SECTION>
<FILE>ostree-sign</FILE>
OstreeSign
ostree_sign_list_names
ostree_sign_get_all
ostree_sign_commit
ostree_sign_commit_verify
ostree_sign_data

View File

@ -23,7 +23,7 @@ global:
ostree_repo_commit_modifier_set_sepolicy_from_commit;
someostree_symbol_deleteme;
ostree_sign_get_type;
ostree_sign_list_names;
ostree_sign_get_all;
ostree_sign_commit;
ostree_sign_commit_verify;
ostree_sign_data;

View File

@ -142,6 +142,9 @@ _signapi_load_public_keys (OstreeSign *sign,
return TRUE;
}
/* Iterate over all known signing types, and check if the commit is signed
* by at least one.
*/
gboolean
_sign_verify_for_remote (OstreeRepo *repo,
const gchar *remote_name,
@ -149,32 +152,18 @@ _sign_verify_for_remote (OstreeRepo *repo,
GVariant *metadata,
GError **error)
{
/* list all signature types in detached metadata and check if signed by any? */
g_auto (GStrv) names = ostree_sign_list_names();
guint n_invalid_signatures = 0;
guint n_unknown_signatures = 0;
g_autoptr (GError) last_sig_error = NULL;
gboolean found_sig = FALSE;
for (char **iter=names; iter && *iter; iter++)
g_autoptr(GPtrArray) signers = ostree_sign_get_all ();
for (guint i = 0; i < signers->len; i++)
{
g_autoptr (OstreeSign) sign = NULL;
g_autoptr (GVariant) signatures = NULL;
const gchar *signature_key = NULL;
GVariantType *signature_format = NULL;
if ((sign = ostree_sign_get_by_name (*iter, NULL)) == NULL)
{
n_unknown_signatures++;
continue;
}
signature_key = ostree_sign_metadata_key (sign);
signature_format = (GVariantType *) ostree_sign_metadata_format (sign);
signatures = g_variant_lookup_value (metadata,
signature_key,
signature_format);
OstreeSign *sign = signers->pdata[i];
const gchar *signature_key = ostree_sign_metadata_key (sign);
GVariantType *signature_format = (GVariantType *) ostree_sign_metadata_format (sign);
g_autoptr (GVariant) signatures =
g_variant_lookup_value (metadata, signature_key, signature_format);
/* If not found signatures for requested signature subsystem */
if (!signatures)
@ -201,11 +190,7 @@ _sign_verify_for_remote (OstreeRepo *repo,
}
if (!found_sig)
{
if (n_unknown_signatures > 0)
return glnx_throw (error, "No signatures found (%d unknown type)", n_unknown_signatures);
return glnx_throw (error, "No signatures found");
}
return glnx_throw (error, "No signatures found");
g_assert (last_sig_error);
g_propagate_error (error, g_steal_pointer (&last_sig_error));

View File

@ -1544,14 +1544,11 @@ scan_commit_object (OtPullData *pull_data,
gboolean found_any_signature = FALSE;
gboolean found_valid_signature = FALSE;
/* list all signature types in detached metadata and check if signed by any? */
g_auto (GStrv) names = ostree_sign_list_names();
for (char **iter=names; iter && *iter; iter++)
/* FIXME - dedup this with _sign_verify_for_remote() */
g_autoptr(GPtrArray) signers = ostree_sign_get_all ();
for (guint i = 0; i < signers->len; i++)
{
g_autoptr (OstreeSign) sign = NULL;
if ((sign = ostree_sign_get_by_name (*iter, NULL)) == NULL)
continue;
OstreeSign *sign = signers->pdata[i];
/* Try to load public key(s) according remote's configuration */
if (!_signapi_load_public_keys (sign, pull_data->repo, pull_data->remote_name, error))

View File

@ -436,8 +436,6 @@ ostree_sign_commit_verify (OstreeSign *self,
*
* Return the pointer to the name of currently used/selected signing engine.
*
* The list of available engines could be acquired with #ostree_sign_list_names.
*
* Returns: (transfer none): pointer to the name
* @NULL in case of error (unlikely).
*
@ -515,28 +513,27 @@ ostree_sign_commit (OstreeSign *self,
}
/**
* ostree_sign_list_names:
* ostree_sign_get_all:
*
* Return an array with all available sign engines names.
* Return an array with newly allocated instances of all available
* signing engines; they will not be initialized.
*
* Returns: (transfer full): an array of strings, free when you used it
* Returns: (transfer full) (element-type OstreeSign): an array of signing engines
*
* Since: 2020.2
*/
GStrv
ostree_sign_list_names(void)
GPtrArray *
ostree_sign_get_all (void)
{
g_autoptr(GPtrArray) engines = g_ptr_array_new_with_free_func (g_object_unref);
for (guint i = 0; i < G_N_ELEMENTS(sign_types); i++)
{
OstreeSign *engine = ostree_sign_get_by_name (sign_types[i].name, NULL);
g_assert (engine);
g_ptr_array_add (engines, engine);
}
GStrv names = g_new0 (char *, G_N_ELEMENTS(sign_types) + 1);
gint i = 0;
for (i=0; i < G_N_ELEMENTS(sign_types); i++)
{
names[i] = g_strdup(sign_types[i].name);
g_debug ("Found '%s' signing engine", names[i]);
}
return names;
return g_steal_pointer (&engines);
}
/**
@ -544,11 +541,9 @@ ostree_sign_list_names(void)
* @name: the name of desired signature engine
* @error: return location for a #GError
*
* Tries to find and return proper signing engine by it's name.
* Create a new instance of a signing engine.
*
* The list of available engines could be acquired with #ostree_sign_list_names.
*
* Returns: (transfer full): a constant, free when you used it
* Returns: (transfer full): New signing engine, or %NULL if the engine is not known
*
* Since: 2020.2
*/

View File

@ -153,7 +153,7 @@ gboolean ostree_sign_load_pk (OstreeSign *self,
_OSTREE_PUBLIC
GStrv ostree_sign_list_names(void);
GPtrArray * ostree_sign_get_all(void);
_OSTREE_PUBLIC
OstreeSign * ostree_sign_get_by_name (const gchar *name, GError **error);