shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

Merge 162219c9caf1ce8a79b9acfcea30758333303537 into 487b95d9b6eb42c5213f413308b915e8be17d509

Browse Source
This commit is contained in:
Joe Kale 2025-03-13 10:48:57 -05:00 committed by GitHub
commit 656b0d0d88
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 35 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
man/sysupdate.d.xml
View File

@ -595,10 +595,10 @@
<para>If the source type is selected as <constant>url-file</constant> or
<constant>url-tar</constant> this must be a HTTP/HTTPS URL. The URL is suffixed with
<filename>/SHA256SUMS</filename> to acquire the manifest file, with
<filename>/SHA256SUMS.gpg</filename> to acquire the detached signature file for it, and with the file
names listed in the manifest file in case an update is executed and a resource shall be
downloaded.</para>
the value assigned to the <varname>Manifest</varname> variable to acquire the manifest file. If the
manifest name is <filename>/SHA256SUMS</filename> the detached signature file for it will be acquired (if
verification is enabled),and with the file names listed in the manifest file in case an update is
executed and a resource shall be downloaded.</para>
<para>For all other source resource types this must be a local path in the file system, referring to
a local directory to find the versions of this resource in.</para>
@ -606,6 +606,15 @@
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>Manifest=</varname></term>
<listitem><para>Specifies the filename of the manifest. Defaults to <filename>/SHA256SUMS</filename>.
Overriding the <varname>Manifest</varname> disables verification.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>MatchPattern=</varname></term>

22
src/sysupdate/sysupdate-resource.c
View File

@ -35,6 +35,7 @@ void resource_destroy(Resource *rr) {
assert(rr);
free(rr->path);
free(rr->manifest);
strv_free(rr->patterns);
for (size_t i = 0; i < rr->n_instances; i++)
@ -268,7 +269,7 @@ static int download_manifest(
char **ret_buffer,
size_t *ret_size) {
_cleanup_free_ char *buffer = NULL, *suffixed_url = NULL;
_cleanup_free_ char *buffer = NULL;
_cleanup_close_pair_ int pfd[2] = EBADF_PAIR;
_cleanup_fclose_ FILE *manifest = NULL;
size_t size = 0;
@ -279,17 +280,11 @@ static int download_manifest(
assert(ret_buffer);
assert(ret_size);
/* Download a SHA256SUMS file as manifest */
r = import_url_append_component(url, "SHA256SUMS", &suffixed_url);
if (r < 0)
return log_error_errno(r, "Failed to append SHA256SUMS to URL: %m");
if (pipe2(pfd, O_CLOEXEC) < 0)
return log_error_errno(errno, "Failed to allocate pipe: %m");
log_info("%s Acquiring manifest file %s%s", special_glyph(SPECIAL_GLYPH_DOWNLOAD),
suffixed_url, special_glyph(SPECIAL_GLYPH_ELLIPSIS));
url, special_glyph(SPECIAL_GLYPH_ELLIPSIS));
r = safe_fork_full("(sd-pull)",
(int[]) { -EBADF, pfd[1], STDERR_FILENO },
@ -306,7 +301,7 @@ static int download_manifest(
"raw",
"--direct", /* just download the specified URL, don't download anything else */
"--verify", verify_signature ? "signature" : "no", /* verify the manifest file */
suffixed_url,
url,
"-", /* write to stdout */
NULL
};
@ -353,6 +348,7 @@ static int resource_load_from_web(
Hashmap **web_cache) {
size_t manifest_size = 0, left = 0;
_cleanup_free_ char *suffixed_url = NULL;
_cleanup_free_ char *buf = NULL;
const char *manifest, *p;
size_t line_nr = 1;
@ -370,7 +366,13 @@ static int resource_load_from_web(
} else {
log_debug("Manifest web cache miss for %s.", rr->path);
r = download_manifest(rr->path, verify, &buf, &manifest_size);
/* Download a SHA256SUMS file as manifest */
r = import_url_append_component(rr->path, rr->manifest, &suffixed_url);
if (r < 0)
return log_error_errno(r, "Failed to append manifest name to URL: %m");
r = download_manifest(suffixed_url, verify, &buf, &manifest_size);
if (r < 0)
return r;

1
src/sysupdate/sysupdate-resource.h
View File

@ -85,6 +85,7 @@ struct Resource {
char *path;
bool path_auto; /* automatically find root path (only available if target resource, not source resource) */
PathRelativeTo path_relative_to;
char *manifest; /* Manifest file name (Default: SHA256SUMS)*/
char **patterns;
GptPartitionType partition_type;
bool partition_type_set;

9
src/sysupdate/sysupdate-transfer.c
View File

@ -504,6 +504,7 @@ int transfer_read_definition(Transfer *t, const char *path, const char **dirs, H
{ "Transfer", "RequisiteFeatures", config_parse_strv, 0, &t->requisite_features },
{ "Source", "Type", config_parse_resource_type, 0, &t->source.type },
{ "Source", "Path", config_parse_resource_path, 0, &t->source },
{ "Source", "Manifest", config_parse_string, 0, &t->source.manifest },
{ "Source", "PathRelativeTo", config_parse_resource_path_relto, 0, &t->source.path_relative_to },
{ "Source", "MatchPattern", config_parse_resource_pattern, 0, &t->source.patterns },
{ "Target", "Type", config_parse_resource_type, 0, &t->target.type },
@ -603,6 +604,14 @@ int transfer_read_definition(Transfer *t, const char *path, const char **dirs, H
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"Source specification lacks Path=.");
if (!t->source.manifest)
t->source.manifest = strdup("SHA256SUMS");
if (t->verify && ! streq(t->source.manifest, "SHA256SUMS")) {
log_warning("Only SHA256SUMS is supported for manifest verification. Disabling verification.");
t->verify = false;
}
if (t->source.path_relative_to == PATH_RELATIVE_TO_EXPLICIT && !arg_transfer_source)
return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
"PathRelativeTo=explicit requires --transfer-source= to be specified.");