From 1fe8a8b703100488b1e7f97ded13ba738b445a59 Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Sun, 23 Feb 2014 13:44:03 +0400 Subject: [PATCH] Refactor GPG clearsigned verification into extract + verification. --- debian/remote.go | 9 ++++++++- debian/remote_test.go | 6 +++++- utils/gpg.go | 37 +++++++++++++++++++++++-------------- 3 files changed, 36 insertions(+), 16 deletions(-) diff --git a/debian/remote.go b/debian/remote.go index b26b34d8..8ad711c0 100644 --- a/debian/remote.go +++ b/debian/remote.go @@ -181,7 +181,14 @@ func (repo *RemoteRepo) Fetch(d aptly.Downloader, verifier utils.Verifier) error } defer inrelease.Close() - release, err = verifier.VerifyClearsigned(inrelease) + err = verifier.VerifyClearsigned(inrelease) + if err != nil { + goto splitsignature + } + + inrelease.Seek(0, 0) + + release, err = verifier.ExtractClearsigned(inrelease) if err != nil { goto splitsignature } diff --git a/debian/remote_test.go b/debian/remote_test.go index c7747340..ec292c4a 100644 --- a/debian/remote_test.go +++ b/debian/remote_test.go @@ -28,7 +28,11 @@ func (n *NullVerifier) VerifyDetachedSignature(signature, cleartext io.Reader) e return nil } -func (n *NullVerifier) VerifyClearsigned(clearsigned io.Reader) (text *os.File, err error) { +func (n *NullVerifier) VerifyClearsigned(clearsigned io.Reader) error { + return nil +} + +func (n *NullVerifier) ExtractClearsigned(clearsigned io.Reader) (text *os.File, err error) { text, _ = ioutil.TempFile("", "aptly-test") io.Copy(text, clearsigned) text.Seek(0, 0) diff --git a/utils/gpg.go b/utils/gpg.go index e1d94bde..30ca393d 100644 --- a/utils/gpg.go +++ b/utils/gpg.go @@ -25,7 +25,8 @@ type Verifier interface { InitKeyring() error AddKeyring(keyring string) VerifyDetachedSignature(signature, cleartext io.Reader) error - VerifyClearsigned(clearsigned io.Reader) (text *os.File, err error) + VerifyClearsigned(clearsigned io.Reader) error + ExtractClearsigned(clearsigned io.Reader) (text *os.File, err error) } // Test interface @@ -216,14 +217,31 @@ func (g *GpgVerifier) VerifyDetachedSignature(signature, cleartext io.Reader) er } args = append(args, sigf.Name(), clearf.Name()) - return g.runGpgv(args, "detached signature") } -// VerifyClearsigned verifies clearsigned file using gpgv and extracts cleartext version -func (g *GpgVerifier) VerifyClearsigned(clearsigned io.Reader) (text *os.File, err error) { +// VerifyClearsigned verifies clearsigned file using gpgv +func (g *GpgVerifier) VerifyClearsigned(clearsigned io.Reader) error { args := g.argsKeyrings() + clearf, err := ioutil.TempFile("", "aptly-gpg") + if err != nil { + return err + } + defer os.Remove(clearf.Name()) + defer clearf.Close() + + _, err = io.Copy(clearf, clearsigned) + if err != nil { + return err + } + + args = append(args, clearf.Name()) + return g.runGpgv(args, "clearsigned file") +} + +// ExtractClearsigned extracts cleartext from clearsigned file WITHOUT signature verification +func (g *GpgVerifier) ExtractClearsigned(clearsigned io.Reader) (text *os.File, err error) { clearf, err := ioutil.TempFile("", "aptly-gpg") if err != nil { return @@ -236,24 +254,15 @@ func (g *GpgVerifier) VerifyClearsigned(clearsigned io.Reader) (text *os.File, e return } - args = append(args, clearf.Name()) - err = g.runGpgv(args, "clearsigned file") - if err != nil { - return nil, err - } - text, err = ioutil.TempFile("", "aptly-gpg") if err != nil { return } defer os.Remove(text.Name()) - args = []string{"--no-default-keyring"} - args = append(args, g.argsKeyrings()...) - args = append(args, "--decrypt", "--batch", "--trust-model", "always", "--output", "-", clearf.Name()) + args := []string{"--decrypt", "--batch", "--skip-verify", "--output", "-", clearf.Name()} cmd := exec.Command("gpg", args...) - cmd.Stderr = os.Stderr stdout, err := cmd.StdoutPipe() if err != nil { return nil, err