shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-21 02:50:18 +03:00
Code

Add Ability for alternate manifest names

Browse Source 
Allows fetching alternate manifest names with the Manifest
variable. Disables verification if Manifest name is not SHA256SUMS
as it is not known and accepted by systemd poll-common code.

Signed-off-by: Joe Kale <jkale@precisionplanting.com>
This commit is contained in:
Joe Kale 2025-02-28 16:26:11 -06:00
parent f2b1de6f5b
commit 162219c9ca
4 changed files with 35 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
man/sysupdate.d.xml
View File

@ -595,10 +595,10 @@
<para>If the source type is selected as <constant>url-file</constant> or
<constant>url-tar</constant> this must be a HTTP/HTTPS URL. The URL is suffixed with
<filename>/SHA256SUMS</filename> to acquire the manifest file, with
<filename>/SHA256SUMS.gpg</filename> to acquire the detached signature file for it, and with the file
names listed in the manifest file in case an update is executed and a resource shall be
downloaded.</para>
the value assigned to the <varname>Manifest</varname> variable to acquire the manifest file. If the
manifest name is <filename>/SHA256SUMS</filename> the detached signature file for it will be acquired (if
verification is enabled),and with the file names listed in the manifest file in case an update is
executed and a resource shall be downloaded.</para>
<para>For all other source resource types this must be a local path in the file system, referring to
a local directory to find the versions of this resource in.</para>
@ -606,6 +606,15 @@
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>Manifest=</varname></term>
<listitem><para>Specifies the filename of the manifest. Defaults to <filename>/SHA256SUMS</filename>.
Overriding the <varname>Manifest</varname> disables verification.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>MatchPattern=</varname></term>

22
src/sysupdate/sysupdate-resource.c
View File

@ -34,6 +34,7 @@ void resource_destroy(Resource *rr) {
assert(rr);
free(rr->path);
free(rr->manifest);
strv_free(rr->patterns);
for (size_t i = 0; i < rr->n_instances; i++)
@ -267,7 +268,7 @@ static int download_manifest(
char **ret_buffer,
size_t *ret_size) {
_cleanup_free_ char *buffer = NULL, *suffixed_url = NULL;
_cleanup_free_ char *buffer = NULL;
_cleanup_close_pair_ int pfd[2] = EBADF_PAIR;
_cleanup_fclose_ FILE *manifest = NULL;
size_t size = 0;
@ -278,17 +279,11 @@ static int download_manifest(
assert(ret_buffer);
assert(ret_size);
/* Download a SHA256SUMS file as manifest */
r = import_url_append_component(url, "SHA256SUMS", &suffixed_url);
if (r < 0)
return log_error_errno(r, "Failed to append SHA256SUMS to URL: %m");
if (pipe2(pfd, O_CLOEXEC) < 0)
return log_error_errno(errno, "Failed to allocate pipe: %m");
log_info("%s Acquiring manifest file %s%s", special_glyph(SPECIAL_GLYPH_DOWNLOAD),
suffixed_url, special_glyph(SPECIAL_GLYPH_ELLIPSIS));
url, special_glyph(SPECIAL_GLYPH_ELLIPSIS));
r = safe_fork_full("(sd-pull)",
(int[]) { -EBADF, pfd[1], STDERR_FILENO },
@ -305,7 +300,7 @@ static int download_manifest(
"raw",
"--direct", /* just download the specified URL, don't download anything else */
"--verify", verify_signature ? "signature" : "no", /* verify the manifest file */
suffixed_url,
url,
"-", /* write to stdout */
NULL
};
@ -352,6 +347,7 @@ static int resource_load_from_web(
Hashmap **web_cache) {
size_t manifest_size = 0, left = 0;
_cleanup_free_ char *suffixed_url = NULL;
_cleanup_free_ char *buf = NULL;
const char *manifest, *p;
size_t line_nr = 1;
@ -369,7 +365,13 @@ static int resource_load_from_web(
} else {
log_debug("Manifest web cache miss for %s.", rr->path);
r = download_manifest(rr->path, verify, &buf, &manifest_size);
/* Download a SHA256SUMS file as manifest */
r = import_url_append_component(rr->path, rr->manifest, &suffixed_url);
if (r < 0)
return log_error_errno(r, "Failed to append manifest name to URL: %m");
r = download_manifest(suffixed_url, verify, &buf, &manifest_size);
if (r < 0)
return r;

1
src/sysupdate/sysupdate-resource.h
View File

@ -85,6 +85,7 @@ struct Resource {
char *path;
bool path_auto; /* automatically find root path (only available if target resource, not source resource) */
PathRelativeTo path_relative_to;
char *manifest; /* Manifest file name (Default: SHA256SUMS)*/
char **patterns;
GptPartitionType partition_type;
bool partition_type_set;

9
src/sysupdate/sysupdate-transfer.c
View File

@ -504,6 +504,7 @@ int transfer_read_definition(Transfer *t, const char *path, const char **dirs, H
{ "Transfer", "RequisiteFeatures", config_parse_strv, 0, &t->requisite_features },
{ "Source", "Type", config_parse_resource_type, 0, &t->source.type },
{ "Source", "Path", config_parse_resource_path, 0, &t->source },
{ "Source", "Manifest", config_parse_string, 0, &t->source.manifest },
{ "Source", "PathRelativeTo", config_parse_resource_path_relto, 0, &t->source.path_relative_to },
{ "Source", "MatchPattern", config_parse_resource_pattern, 0, &t->source.patterns },
{ "Target", "Type", config_parse_resource_type, 0, &t->target.type },
@ -603,6 +604,14 @@ int transfer_read_definition(Transfer *t, const char *path, const char **dirs, H
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"Source specification lacks Path=.");
if (!t->source.manifest)
t->source.manifest = strdup("SHA256SUMS");
if (t->verify && ! streq(t->source.manifest, "SHA256SUMS")) {
log_warning("Only SHA256SUMS is supported for manifest verification. Disabling verification.");
t->verify = false;
}
if (t->source.path_relative_to == PATH_RELATIVE_TO_EXPLICIT && !arg_transfer_source)
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"PathRelativeTo=explicit requires --transfer-source= to be specified.");