shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-01-09 01:18:35 +03:00
Code Issues Projects Releases Wiki Activity

signing: Change API to create instances directly

Browse Source 
This cleans up the verification code; it was weird how
we'd get the list of known names and then try to create
an instance from it (and throw an error if that failed, which
couldn't happen).
This commit is contained in:
Colin Walters 2020-05-10 13:20:50 +00:00
parent f572206f15
commit a9a81f3a29
6 changed files with 34 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apidoc/ostree-sections.txt
View File

@ -709,7 +709,7 @@ ostree_kernel_args_to_string
<SECTION> <SECTION>
<FILE>ostree-sign</FILE> <FILE>ostree-sign</FILE>
OstreeSign OstreeSign
ostree_sign_list_names ostree_sign_get_all
ostree_sign_commit ostree_sign_commit
ostree_sign_commit_verify ostree_sign_commit_verify
ostree_sign_data ostree_sign_data

2
src/libostree/libostree-devel.sym
View File

@ -23,7 +23,7 @@ global:
ostree_repo_commit_modifier_set_sepolicy_from_commit; ostree_repo_commit_modifier_set_sepolicy_from_commit;
someostree_symbol_deleteme; someostree_symbol_deleteme;
ostree_sign_get_type; ostree_sign_get_type;
ostree_sign_list_names; ostree_sign_get_all;
ostree_sign_commit; ostree_sign_commit;
ostree_sign_commit_verify; ostree_sign_commit_verify;
ostree_sign_data; ostree_sign_data;

37
src/libostree/ostree-repo-pull-verify.c
View File

@ -142,6 +142,9 @@ _signapi_load_public_keys (OstreeSign *sign,
return TRUE; return TRUE;
} }
/* Iterate over all known signing types, and check if the commit is signed
* by at least one.
*/
gboolean gboolean
_sign_verify_for_remote (OstreeRepo *repo, _sign_verify_for_remote (OstreeRepo *repo,
const gchar *remote_name, const gchar *remote_name,
@ -149,32 +152,18 @@ _sign_verify_for_remote (OstreeRepo *repo,
GVariant *metadata, GVariant *metadata,
GError **error) GError **error)
{ {
/* list all signature types in detached metadata and check if signed by any? */
g_auto (GStrv) names = ostree_sign_list_names();
guint n_invalid_signatures = 0; guint n_invalid_signatures = 0;
guint n_unknown_signatures = 0;
g_autoptr (GError) last_sig_error = NULL; g_autoptr (GError) last_sig_error = NULL;
gboolean found_sig = FALSE; gboolean found_sig = FALSE;
for (char **iter=names; iter && *iter; iter++) g_autoptr(GPtrArray) signers = ostree_sign_get_all ();
for (guint i = 0; i < signers->len; i++)
{ {
g_autoptr (OstreeSign) sign = NULL; OstreeSign *sign = signers->pdata[i];
g_autoptr (GVariant) signatures = NULL; const gchar *signature_key = ostree_sign_metadata_key (sign);
const gchar *signature_key = NULL; GVariantType *signature_format = (GVariantType *) ostree_sign_metadata_format (sign);
GVariantType *signature_format = NULL; g_autoptr (GVariant) signatures =
g_variant_lookup_value (metadata, signature_key, signature_format);
if ((sign = ostree_sign_get_by_name (*iter, NULL)) == NULL)
{
n_unknown_signatures++;
continue;
}
signature_key = ostree_sign_metadata_key (sign);
signature_format = (GVariantType *) ostree_sign_metadata_format (sign);
signatures = g_variant_lookup_value (metadata,
signature_key,
signature_format);
/* If not found signatures for requested signature subsystem */ /* If not found signatures for requested signature subsystem */
if (!signatures) if (!signatures)
@ -201,11 +190,7 @@ _sign_verify_for_remote (OstreeRepo *repo,
} }
if (!found_sig) if (!found_sig)
{ return glnx_throw (error, "No signatures found");
if (n_unknown_signatures > 0)
return glnx_throw (error, "No signatures found (%d unknown type)", n_unknown_signatures);
return glnx_throw (error, "No signatures found");
}
g_assert (last_sig_error); g_assert (last_sig_error);
g_propagate_error (error, g_steal_pointer (&last_sig_error)); g_propagate_error (error, g_steal_pointer (&last_sig_error));

11
src/libostree/ostree-repo-pull.c
View File

@ -1544,14 +1544,11 @@ scan_commit_object (OtPullData *pull_data,
gboolean found_any_signature = FALSE; gboolean found_any_signature = FALSE;
gboolean found_valid_signature = FALSE; gboolean found_valid_signature = FALSE;
/* list all signature types in detached metadata and check if signed by any? */ /* FIXME - dedup this with _sign_verify_for_remote() */
g_auto (GStrv) names = ostree_sign_list_names(); g_autoptr(GPtrArray) signers = ostree_sign_get_all ();
for (char **iter=names; iter && *iter; iter++) for (guint i = 0; i < signers->len; i++)
{ {
g_autoptr (OstreeSign) sign = NULL; OstreeSign *sign = signers->pdata[i];
if ((sign = ostree_sign_get_by_name (*iter, NULL)) == NULL)
continue;
/* Try to load public key(s) according remote's configuration */ /* Try to load public key(s) according remote's configuration */
if (!_signapi_load_public_keys (sign, pull_data->repo, pull_data->remote_name, error)) if (!_signapi_load_public_keys (sign, pull_data->repo, pull_data->remote_name, error))

37
src/libostree/ostree-sign.c
View File

@ -436,8 +436,6 @@ ostree_sign_commit_verify (OstreeSign *self,
* *
* Return the pointer to the name of currently used/selected signing engine. * Return the pointer to the name of currently used/selected signing engine.
* *
* The list of available engines could be acquired with #ostree_sign_list_names.
*
* Returns: (transfer none): pointer to the name * Returns: (transfer none): pointer to the name
* @NULL in case of error (unlikely). * @NULL in case of error (unlikely).
* *
@ -515,28 +513,27 @@ ostree_sign_commit (OstreeSign *self,
} }
/** /**
* ostree_sign_list_names: * ostree_sign_get_all:
* *
* Return an array with all available sign engines names. * Return an array with newly allocated instances of all available
* signing engines; they will not be initialized.
* *
* Returns: (transfer full): an array of strings, free when you used it * Returns: (transfer full) (element-type OstreeSign): an array of signing engines
* *
* Since: 2020.2 * Since: 2020.2
*/ */
GStrv GPtrArray *
ostree_sign_list_names(void) ostree_sign_get_all (void)
{ {
g_autoptr(GPtrArray) engines = g_ptr_array_new_with_free_func (g_object_unref);
for (guint i = 0; i < G_N_ELEMENTS(sign_types); i++)
{
OstreeSign *engine = ostree_sign_get_by_name (sign_types[i].name, NULL);
g_assert (engine);
g_ptr_array_add (engines, engine);
}
GStrv names = g_new0 (char *, G_N_ELEMENTS(sign_types) + 1); return g_steal_pointer (&engines);
gint i = 0;
for (i=0; i < G_N_ELEMENTS(sign_types); i++)
{
names[i] = g_strdup(sign_types[i].name);
g_debug ("Found '%s' signing engine", names[i]);
}
return names;
} }
/** /**
@ -544,11 +541,9 @@ ostree_sign_list_names(void)
* @name: the name of desired signature engine * @name: the name of desired signature engine
* @error: return location for a #GError * @error: return location for a #GError
* *
* Tries to find and return proper signing engine by it's name. * Create a new instance of a signing engine.
* *
* The list of available engines could be acquired with #ostree_sign_list_names. * Returns: (transfer full): New signing engine, or %NULL if the engine is not known
*
* Returns: (transfer full): a constant, free when you used it
* *
* Since: 2020.2 * Since: 2020.2
*/ */

2
src/libostree/ostree-sign.h
View File

@ -153,7 +153,7 @@ gboolean ostree_sign_load_pk (OstreeSign *self,
_OSTREE_PUBLIC _OSTREE_PUBLIC
GStrv ostree_sign_list_names(void); GPtrArray * ostree_sign_get_all(void);
_OSTREE_PUBLIC _OSTREE_PUBLIC
OstreeSign * ostree_sign_get_by_name (const gchar *name, GError **error); OstreeSign * ostree_sign_get_by_name (const gchar *name, GError **error);