| author | Urja (ARMLFS builder)
<urja+armlfs@urja.dev> 2024-06-22 10:06:35 UTC |
| committer | Urja (ARMLFS builder)
<urja+armlfs@urja.dev> 2024-06-22 14:25:56 UTC |
| parent | e61fae6c4a32b88b262aefe0cf0eca3782fbefe3 |
| .gitignore | +3 | -0 |
| 0001-Initial-asignify-support.patch | +730 | -0 |
| PKGBUILD | +16 | -4 |
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b11124e --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/src/ +/pkg/ +/pacman-release-*/ diff --git a/0001-Initial-asignify-support.patch b/0001-Initial-asignify-support.patch new file mode 100644 index 0000000..c291e0e --- /dev/null +++ b/0001-Initial-asignify-support.patch @@ -0,0 +1,730 @@ +From e1d126e44f7ec7556414de2befc7c115f7d2da99 Mon Sep 17 00:00:00 2001 +From: "Urja (ARMLFS builder)" <urja+armlfs@urja.dev> +Date: Sat, 22 Jun 2024 15:29:44 +0300 +Subject: [PATCH] Initial asignify support + +--- + lib/libalpm/alpm.c | 2 +- + lib/libalpm/be_sync.c | 2 +- + lib/libalpm/handle.c | 6 +- + lib/libalpm/meson.build | 9 +- + lib/libalpm/signing_asignify.c | 575 +++++++++++++++++++++++++++++++++ + meson.build | 9 +- + meson_options.txt | 3 + + 7 files changed, 598 insertions(+), 8 deletions(-) + create mode 100644 lib/libalpm/signing_asignify.c + +diff --git a/lib/libalpm/alpm.c b/lib/libalpm/alpm.c +index 32b93b3..46845af 100644 +--- a/lib/libalpm/alpm.c ++++ b/lib/libalpm/alpm.c +@@ -119,7 +119,7 @@ int SYMEXPORT alpm_capabilities(void) + #ifdef HAVE_LIBCURL + | ALPM_CAPABILITY_DOWNLOADER + #endif +-#ifdef HAVE_LIBGPGME ++#if (defined HAVE_LIBGPGME) || (defined HAVE_ASIGNIFY) + | ALPM_CAPABILITY_SIGNATURES + #endif + | 0; +diff --git a/lib/libalpm/be_sync.c b/lib/libalpm/be_sync.c +index e47cdef..4191b75 100644 +--- a/lib/libalpm/be_sync.c ++++ b/lib/libalpm/be_sync.c +@@ -727,7 +727,7 @@ alpm_db_t *_alpm_db_register_sync(alpm_handle_t *handle, const char *treename, + + _alpm_log(handle, ALPM_LOG_DEBUG, "registering sync database '%s'\n", treename); + +-#ifndef HAVE_LIBGPGME ++#if !defined(HAVE_LIBGPGME) && !defined(HAVE_ASIGNIFY) + if(level != 0 && level != ALPM_SIG_USE_DEFAULT) { + RET_ERR(handle, ALPM_ERR_MISSING_CAPABILITY_SIGNATURES, NULL); + } +diff --git a/lib/libalpm/handle.c b/lib/libalpm/handle.c +index ff573fb..7309ca1 100644 +--- a/lib/libalpm/handle.c ++++ b/lib/libalpm/handle.c +@@ -851,7 +851,7 @@ int SYMEXPORT alpm_option_set_default_siglevel(alpm_handle_t *handle, + if(level == ALPM_SIG_USE_DEFAULT) { + RET_ERR(handle, ALPM_ERR_WRONG_ARGS, -1); + } +-#ifdef HAVE_LIBGPGME ++#if defined HAVE_LIBGPGME || defined HAVE_ASIGNIFY + handle->siglevel = level; + #else + if(level != 0) { +@@ -871,7 +871,7 @@ int SYMEXPORT alpm_option_set_local_file_siglevel(alpm_handle_t *handle, + int level) + { + CHECK_HANDLE(handle, return -1); +-#ifdef HAVE_LIBGPGME ++#if defined HAVE_LIBGPGME || defined HAVE_ASIGNIFY + handle->localfilesiglevel = level; + #else + if(level != 0 && level != ALPM_SIG_USE_DEFAULT) { +@@ -895,7 +895,7 @@ int SYMEXPORT alpm_option_set_remote_file_siglevel(alpm_handle_t *handle, + int level) + { + CHECK_HANDLE(handle, return -1); +-#ifdef HAVE_LIBGPGME ++#if defined HAVE_LIBGPGME || defined HAVE_ASIGNIFY + handle->remotefilesiglevel = level; + #else + if(level != 0 && level != ALPM_SIG_USE_DEFAULT) { +diff --git a/lib/libalpm/meson.build b/lib/libalpm/meson.build +index 607e91a..50b4eb3 100644 +--- a/lib/libalpm/meson.build ++++ b/lib/libalpm/meson.build +@@ -1,3 +1,8 @@ ++signing_src = 'signing.c' ++if conf.get('HAVE_ASIGNIFY') ++signing_src = 'signing_asignify.c' ++endif ++ + libalpm_sources = files(''' + add.h add.c + alpm.h alpm.c +@@ -24,9 +29,9 @@ libalpm_sources = files(''' + pkghash.h pkghash.c + rawstr.c + remove.h remove.c +- signing.c signing.h ++ signing.h + sync.h sync.c + trans.h trans.c + util.h util.c + version.c +-'''.split()) ++'''.split(), signing_src) +diff --git a/lib/libalpm/signing_asignify.c b/lib/libalpm/signing_asignify.c +new file mode 100644 +index 0000000..7e42c1d +--- /dev/null ++++ b/lib/libalpm/signing_asignify.c +@@ -0,0 +1,575 @@ ++/* ++ * signing_asignify.c ++ * ++ * Copyright (c) 2008-2024 Pacman Development Team <pacman-dev@lists.archlinux.org> ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see <http://www.gnu.org/licenses/>. ++ */ ++ ++#include <stdlib.h> ++#include <stdio.h> ++#include <string.h> ++#include <dirent.h> ++#include <sys/stat.h> ++ ++#include <asignify.h> ++ ++/* libalpm */ ++#include "signing.h" ++#include "package.h" ++#include "base64.h" ++#include "util.h" ++#include "log.h" ++#include "alpm.h" ++#include "handle.h" ++ ++int SYMEXPORT alpm_decode_signature(const char *base64_data, ++ unsigned char **data, size_t *data_len) ++{ ++ size_t len = strlen(base64_data); ++ unsigned char *usline = (unsigned char *)base64_data; ++ /* reasonable allocation of expected length is 3/4 of encoded length */ ++ size_t destlen = len * 3 / 4; ++ MALLOC(*data, destlen, goto error); ++ if(base64_decode(*data, &destlen, usline, len)) { ++ free(*data); ++ goto error; ++ } ++ *data_len = destlen; ++ return 0; ++ ++error: ++ *data = NULL; ++ *data_len = 0; ++ return -1; ++} ++ ++/** ++ * Determine if we have a key is known in our local keyring. ++ * @param handle the context handle ++ * @param fpr the fingerprint key ID to look up ++ * @return 1 if key is known, 0 if key is unknown, -1 on error ++ */ ++int _alpm_key_in_keychain(alpm_handle_t *handle, const char *fpr) ++{ ++ (void)fpr; ++ _alpm_log(handle, ALPM_LOG_DEBUG, "alpm_key_in_keychain: dummy\n"); ++ return 0; ++} ++ ++/** ++ * Import a key defined by a fingerprint into the local keyring. ++ * @param handle the context handle ++ * @param uid a user ID of the key to import ++ * @param fpr the fingerprint key ID to import ++ * @return 0 on success, -1 on error ++ */ ++int _alpm_key_import(alpm_handle_t *handle, const char *uid, const char *fpr) ++{ ++ (void)uid; (void)fpr; ++ _alpm_log(handle, ALPM_LOG_DEBUG, "alpm_key_import: dummy\n"); ++ return 0; ++} ++ ++/* This is not directly used by other files; should have no callers now. */ ++int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path, ++ const char *base64_sig, alpm_siglist_t *siglist) ++{ ++ (void)path; (void)base64_sig; ++ _alpm_log(handle, ALPM_LOG_DEBUG, "alpm_gpgme_checksig: dummy\n"); ++ siglist->count = 0; ++ handle->pm_errno = ALPM_ERR_MISSING_CAPABILITY_SIGNATURES; ++ return -1; ++} ++ ++ ++/* This is what we're here for. The rest is fixing the impedance mismatches lol. ++ * Returns -1 for no/bad pubkey, 0 for bad signature/data, 1 for all verified.*/ ++static int _alpm_asignify_vfy(alpm_handle_t *handle, const char *pubkey, const char *sigfn, const char *datafn) ++{ ++ struct asignify_verify_ctx * vrf; ++ int ret = -1; ++ vrf = asignify_verify_init(); ++ ++ /* Load pubkey - this is the expected way out if we don't have a key for this repo. */ ++ if (!asignify_verify_load_pubkey(vrf, pubkey)) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "cannot load pubkey %s (%s)\n", pubkey, asignify_verify_get_error(vrf)); ++ goto cleanup; ++ } ++ ret = 0; ++ ++ /* Load and verify digests file - this is the expected way out if we have the wrong pubkey. */ ++ if (!asignify_verify_load_signature(vrf, sigfn)) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "cannot verify sigfn %s (%s)\n", sigfn, asignify_verify_get_error(vrf)); ++ goto cleanup; ++ } ++ ++ /* This is the way out if the data does not match the .sig */ ++ if (!asignify_verify_file(vrf, datafn)) { ++ _alpm_log(handle, ALPM_LOG_WARNING, "cannot verify file %s (%s)\n", datafn, asignify_verify_get_error(vrf)); ++ goto cleanup; ++ } ++ ++ /* All matched, neat. */ ++ ret = 1; ++ ++cleanup: ++ /* Cleanup */ ++ asignify_verify_free(vrf); ++ return ret; ++} ++ ++ ++static const char _alpm_keybase[] = "/etc/pacman.d/keys/"; // + <db>.pub ++static const char _alpm_keysuffix[] = ".pub"; ++ ++static int _alpm_pubkey_filter(const struct dirent * de) ++{ ++ int l = strlen(de->d_name); ++ int sufl = strlen(_alpm_keysuffix); ++ if (l <= sufl) return 0; ++ ++ /* Not .pub? Not pubkey. */ ++ if (memcmp(de->d_name+(l-sufl), _alpm_keysuffix, sufl) != 0) ++ return 0; ++ ++ return 1; ++ ++} ++ ++/* This is just to compare the key id between our signature ++ * and a keyfile, to match the right keyfile for verify by asignify */ ++/* We compare the raw base64. Should be fine lol. */ ++ ++static const char _alpm_asig_prefix[] = "asignify-sig:1:"; ++static const char _alpm_apub_prefix[] = "asignify-pubkey:1:"; ++ ++static int _alpm_asignify_cmp(unsigned char *sigdat, char *keyfn) ++{ ++ const int previewl = 40; ++ const int sig_i0 = strlen(_alpm_asig_prefix); ++ const int pub_i0 = strlen(_alpm_apub_prefix); ++ ++ unsigned char keydat[previewl]; ++ int kfd = open(keyfn, O_RDONLY); ++ int rl = 0; ++ if(kfd < 0) { ++ return -1; ++ } ++ do { ++ int rv = read(kfd, keydat+rl, previewl-rl); ++ if (rv <= 0) { ++ close(kfd); ++ return -1; ++ } ++ rl += rv; ++ } while (rl < previewl); ++ close(kfd); ++ if (memcmp(keydat, _alpm_apub_prefix, pub_i0) != 0) ++ return 1; ++ for (int i = 0; i < (previewl - pub_i0); i++) { ++ unsigned char s = sigdat[i + sig_i0]; ++ if (s != keydat[i + pub_i0]) return 1; ++ if (s == ':') return 0; ++ } ++ /* ???? */ ++ return -1; ++} ++ ++/** ++ * Check the signature for the given file path. ++ * If base64_sig is provided, it will be used as the signature data after ++ * decoding. If base64_sig is NULL, expect a signature file next to path ++ * (e.g. "%s.sig"). ++ * ++ * The return value will be 0 if nothing abnormal happened during the signature ++ * check, and -1 if an error occurred while checking signatures or if a ++ * signature could not be found; pm_errno will be set. Note that "abnormal" ++ * does not include a failed signature; the value in siglist should be checked ++ * to determine if the signature(s) are good. ++ * @param handle the context handle ++ * @param path the full path to a file ++ * @param base64_sig optional PGP signature data in base64 encoding ++ * @param siglist a pointer to storage for signature results ++ * @return 0 in normal cases, -1 if the something failed in the check process ++ */ ++static int _alpm_checksig(alpm_handle_t *handle, const char *path, ++ const char *base64_sig, alpm_siglist_t *siglist) ++{ ++ int ret = -1, sigcount, vfr = -1; ++ char *sigpath = NULL; ++ unsigned char *decoded_sigdata = NULL; ++ char tmpsigfn[] = "/tmp/pacman-sig-XXXXXX"; ++ char * keypath = NULL; ++ alpm_sigresult_t *result; ++ ++ if(!path || _alpm_access(handle, NULL, path, R_OK) != 0) { ++ RET_ERR(handle, ALPM_ERR_NOT_A_FILE, -1); ++ } ++ ++ if(!siglist) { ++ RET_ERR(handle, ALPM_ERR_WRONG_ARGS, -1); ++ } ++ siglist->count = 0; ++ ++ _alpm_log(handle, ALPM_LOG_DEBUG, "checking signature for %s\n", path); ++ ++ const int previewl = 40; ++ if(!base64_sig) { ++ sigpath = _alpm_sigpath(handle, path); ++ int sigfd = open(sigpath, O_RDONLY); ++ int rl = 0; ++ ++ if(sigfd < 0) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, ++ "sig path %s could not be opened\n", ++ sigpath); ++ GOTO_ERR(handle, ALPM_ERR_SIG_MISSING, error); ++ } ++ MALLOC(decoded_sigdata, previewl, ++ GOTO_ERR(handle, ALPM_ERR_MEMORY, error)); ++ do { ++ int rv = read(sigfd, decoded_sigdata+rl, previewl-rl); ++ if (rv <= 0) { ++ GOTO_ERR(handle, ALPM_ERR_SYSTEM, error); ++ } ++ rl += rv; ++ } while (rl < previewl); ++ close(sigfd); ++ } else { ++ /* asignify only uses files, toss sig into a file. */ ++ size_t data_len; ++ ssize_t wrv; ++ size_t written = 0; ++ int decode_ret = alpm_decode_signature(base64_sig, ++ &decoded_sigdata, &data_len); ++ if ((decode_ret) || (data_len < previewl)) { ++ GOTO_ERR(handle, ALPM_ERR_SIG_INVALID, error); ++ } ++ ++ int wfd = mkstemp(tmpsigfn); ++ if (wfd < 0) { ++ GOTO_ERR(handle, ALPM_ERR_SYSTEM, error); ++ } ++ do { ++ wrv = write(wfd, decoded_sigdata+written, data_len-written); ++ if (wrv < 0) { ++ GOTO_ERR(handle, ALPM_ERR_SYSTEM, error); ++ } ++ written += wrv; ++ } while (written < data_len); ++ close(wfd); ++ CALLOC(sigpath, strlen(tmpsigfn)+1, sizeof(char), GOTO_ERR(handle, ALPM_ERR_MEMORY, error)); ++ strcpy(sigpath, tmpsigfn); ++ } ++ ++ if (memcmp(_alpm_asig_prefix, decoded_sigdata, strlen(_alpm_asig_prefix)) != 0) { ++ GOTO_ERR(handle, ALPM_ERR_SIG_INVALID, error); ++ } ++ ++ char *foundkey = NULL; ++ struct dirent **keylist; ++ int n; ++ MALLOC(keypath, strlen(_alpm_keybase) + 256 + 1, GOTO_ERR(handle, ALPM_ERR_MEMORY, error)); ++ strcpy(keypath, _alpm_keybase); ++ int baselen = strlen(_alpm_keybase); ++ ++ n = scandir(_alpm_keybase, &keylist, _alpm_pubkey_filter, alphasort); ++ if (n >= 0) { ++ int i; ++ for (i = 0; i < n; i++) { ++ strcpy(keypath+baselen, keylist[i]->d_name); ++ if ((!foundkey)&&(_alpm_asignify_cmp(decoded_sigdata, keypath) == 0)) { ++ foundkey = strdup(keylist[i]->d_name); ++ vfr = _alpm_asignify_vfy(handle, keypath, sigpath, path); ++ } ++ free(keylist[i]); ++ } ++ FREE(keylist); ++ } ++ if (!foundkey) foundkey = strdup("(none)"); ++ ++ /* Synth the signature info */ ++ sigcount = 1; ++ CALLOC(siglist->results, sigcount, sizeof(alpm_sigresult_t), ++ GOTO_ERR(handle, ALPM_ERR_MEMORY, error)); ++ siglist->count = sigcount; ++ result = siglist->results; ++ ++ ++ result->key.uid = foundkey; ++ switch (vfr) { ++ default: ++ case -1: ++ result->status = ALPM_SIGSTATUS_KEY_UNKNOWN; ++ result->validity = ALPM_SIGVALIDITY_UNKNOWN; ++ break; ++ case 0: ++ result->status = ALPM_SIGSTATUS_INVALID; ++ result->validity = ALPM_SIGVALIDITY_UNKNOWN; ++ break; ++ ++ case 1: ++ result->status = ALPM_SIGSTATUS_VALID; ++ result->validity = ALPM_SIGVALIDITY_FULL; ++ break; ++ } ++ ret = 0; ++error: ++ FREE(keypath); ++ if ((base64_sig) && (sigpath)) { ++ unlink(sigpath); ++ } ++ FREE(sigpath); ++ FREE(decoded_sigdata); ++ return ret; ++} ++ ++/** ++ * Form a signature path given a file path. ++ * Caller must free the result. ++ * @param handle the context handle ++ * @param path the full path to a file ++ * @return the path with '.sig' appended, NULL on errors ++ */ ++char *_alpm_sigpath(alpm_handle_t *handle, const char *path) ++{ ++ char *sigpath; ++ size_t len; ++ ++ if(!path) { ++ return NULL; ++ } ++ len = strlen(path) + 5; ++ CALLOC(sigpath, len, sizeof(char), RET_ERR(handle, ALPM_ERR_MEMORY, NULL)); ++ sprintf(sigpath, "%s.sig", path); ++ return sigpath; ++} ++ ++/** ++ * Helper for checking the PGP signature for the given file path. ++ * This wraps #_alpm_gpgme_checksig in a slightly friendlier manner to simplify ++ * handling of optional signatures and marginal/unknown trust levels and ++ * handling the correct error code return values. ++ * @param handle the context handle ++ * @param path the full path to a file ++ * @param base64_sig optional PGP signature data in base64 encoding ++ * @param optional whether signatures are optional (e.g., missing OK) ++ * @param marginal whether signatures with marginal trust are acceptable ++ * @param unknown whether signatures with unknown trust are acceptable ++ * @param sigdata a pointer to storage for signature results ++ * @return 0 on success, -1 on error (consult pm_errno or sigdata) ++ */ ++int _alpm_check_pgp_helper(alpm_handle_t *handle, const char *path, ++ const char *base64_sig, int optional, int marginal, int unknown, ++ alpm_siglist_t **sigdata) ++{ ++ alpm_siglist_t *siglist; ++ int ret; ++ ++ CALLOC(siglist, 1, sizeof(alpm_siglist_t), ++ RET_ERR(handle, ALPM_ERR_MEMORY, -1)); ++ ++ ret = _alpm_checksig(handle, path, base64_sig, siglist); ++ if(ret && handle->pm_errno == ALPM_ERR_SIG_MISSING) { ++ if(optional) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "missing optional signature\n"); ++ handle->pm_errno = ALPM_ERR_OK; ++ ret = 0; ++ } else { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "missing required signature\n"); ++ /* ret will already be -1 */ ++ } ++ } else if(ret) { ++ _alpm_log(handle, ALPM_LOG_DEBUG, "signature check failed\n"); ++ /* ret will already be -1 */ ++ } else { ++ size_t num; ++ for(num = 0; !ret && num < siglist->count; num++) { ++ switch(siglist->results[num].status) { ++ case ALPM_SIGSTATUS_VALID: ++ case ALPM_SIGSTATUS_KEY_EXPIRED: ++ _alpm_log(handle, ALPM_LOG_DEBUG, "signature is valid\n"); ++ switch(siglist->results[num].validity) { ++ case ALPM_SIGVALIDITY_FULL: ++ _alpm_log(handle, ALPM_LOG_DEBUG, "signature is fully trusted\n"); ++ break; ++ case ALPM_SIGVALIDITY_MARGINAL: ++ _alpm_log(handle, ALPM_LOG_DEBUG, "signature is marginal trust\n"); ++ if(!marginal) { ++ ret = -1; ++ } ++ break; ++ case ALPM_SIGVALIDITY_UNKNOWN: ++ _alpm_log(handle, ALPM_LOG_DEBUG, "signature is unknown trust\n"); ++ if(!unknown) { ++ ret = -1; ++ } ++ break; ++ case ALPM_SIGVALIDITY_NEVER: ++ _alpm_log(handle, ALPM_LOG_DEBUG, "signature should never be trusted\n"); ++ ret = -1; ++ break; ++ } ++ break; ++ case ALPM_SIGSTATUS_SIG_EXPIRED: ++ case ALPM_SIGSTATUS_KEY_UNKNOWN: ++ case ALPM_SIGSTATUS_KEY_DISABLED: ++ case ALPM_SIGSTATUS_INVALID: ++ _alpm_log(handle, ALPM_LOG_DEBUG, "signature is not valid\n"); ++ ret = -1; ++ break; ++ } ++ } ++ } ++ ++ if(sigdata) { ++ *sigdata = siglist; ++ } else { ++ alpm_siglist_cleanup(siglist); ++ free(siglist); ++ } ++ ++ return ret; ++} ++ ++/** ++ * Examine a signature result list and take any appropriate or necessary ++ * actions. This may include asking the user to import a key or simply printing ++ * helpful failure messages so the user can take action out of band. ++ * @param handle the context handle ++ * @param identifier a friendly name for the signed resource; usually a ++ * database or package name ++ * @param siglist a pointer to storage for signature results ++ * @param optional whether signatures are optional (e.g., missing OK) ++ * @param marginal whether signatures with marginal trust are acceptable ++ * @param unknown whether signatures with unknown trust are acceptable ++ * @return 0 if all signatures are OK, -1 on errors, 1 if we should retry the ++ * validation process ++ */ ++int _alpm_process_siglist(alpm_handle_t *handle, const char *identifier, ++ alpm_siglist_t *siglist, int optional, int marginal, int unknown) ++{ ++ size_t i; ++ int retry = 0; ++ ++ if(!optional && siglist->count == 0) { ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: missing required signature\n"), identifier); ++ } ++ ++ for(i = 0; i < siglist->count; i++) { ++ alpm_sigresult_t *result = siglist->results + i; ++ const char *name = result->key.uid ? result->key.uid : result->key.fingerprint; ++ switch(result->status) { ++ case ALPM_SIGSTATUS_VALID: ++ case ALPM_SIGSTATUS_KEY_EXPIRED: ++ switch(result->validity) { ++ case ALPM_SIGVALIDITY_FULL: ++ break; ++ case ALPM_SIGVALIDITY_MARGINAL: ++ if(!marginal) { ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: signature from \"%s\" is marginal trust\n"), ++ identifier, name); ++ /* QUESTION(handle, ALPM_QUESTION_EDIT_KEY_TRUST, &result->key, NULL, NULL, &answer); */ ++ } ++ break; ++ case ALPM_SIGVALIDITY_UNKNOWN: ++ if(!unknown) { ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: signature from \"%s\" is unknown trust\n"), ++ identifier, name); ++ /* QUESTION(handle, ALPM_QUESTION_EDIT_KEY_TRUST, &result->key, NULL, NULL, &answer); */ ++ } ++ break; ++ case ALPM_SIGVALIDITY_NEVER: ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: signature from \"%s\" should never be trusted\n"), ++ identifier, name); ++ break; ++ } ++ break; ++ case ALPM_SIGSTATUS_KEY_UNKNOWN: ++ /* ensure this key is still actually unknown; we may have imported it ++ * on an earlier call to this function. */ ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: key \"%s\" is unknown\n"), identifier, name); ++ ++ break; ++ case ALPM_SIGSTATUS_KEY_DISABLED: ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: key \"%s\" is disabled\n"), identifier, name); ++ break; ++ case ALPM_SIGSTATUS_SIG_EXPIRED: ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: signature from \"%s\" is expired\n"), identifier, name); ++ break; ++ case ALPM_SIGSTATUS_INVALID: ++ _alpm_log(handle, ALPM_LOG_ERROR, ++ _("%s: signature from \"%s\" is invalid\n"), ++ identifier, name); ++ break; ++ } ++ } ++ ++ return retry; ++} ++ ++int SYMEXPORT alpm_pkg_check_pgp_signature(alpm_pkg_t *pkg, ++ alpm_siglist_t *siglist) ++{ ++ /* AFAIK this is only used by pacman for package info dump */ ++ ASSERT(pkg != NULL, return -1); ++ ASSERT(siglist != NULL, RET_ERR(pkg->handle, ALPM_ERR_WRONG_ARGS, -1)); ++ pkg->handle->pm_errno = ALPM_ERR_OK; ++ ++ return _alpm_checksig(pkg->handle, pkg->filename, ++ pkg->base64_sig, siglist); ++} ++ ++int SYMEXPORT alpm_db_check_pgp_signature(alpm_db_t *db, ++ alpm_siglist_t *siglist) ++{ ++ /* AFAIK this is unused */ ++ ASSERT(db != NULL, return -1); ++ ASSERT(siglist != NULL, RET_ERR(db->handle, ALPM_ERR_WRONG_ARGS, -1)); ++ db->handle->pm_errno = ALPM_ERR_OK; ++ ++ return _alpm_checksig(db->handle, _alpm_db_path(db), NULL, siglist); ++} ++ ++int SYMEXPORT alpm_siglist_cleanup(alpm_siglist_t *siglist) ++{ ++ ASSERT(siglist != NULL, return -1); ++ size_t num; ++ for(num = 0; num < siglist->count; num++) { ++ alpm_sigresult_t *result = siglist->results + num; ++ FREE(result->key.uid); ++ } ++ ++ if(siglist->count) { ++ free(siglist->results); ++ } ++ siglist->results = NULL; ++ siglist->count = 0; ++ return 0; ++} ++ ++int SYMEXPORT alpm_extract_keyid(alpm_handle_t *handle, const char *identifier, ++ const unsigned char *sig, const size_t len, alpm_list_t **keys) ++{ ++ (void)handle; (void)identifier; (void)sig; (void)len; (void)keys; ++ return 0; ++} +diff --git a/meson.build b/meson.build +index 79fc3ef..ca66dbe 100644 +--- a/meson.build ++++ b/meson.build +@@ -112,6 +112,12 @@ gpgme = dependency('gpgme', + not_found_message : 'gpgme @0@ is needed for GPG signature support'.format(needed_gpgme_version)) + conf.set('HAVE_LIBGPGME', gpgme.found()) + ++asignify = cc.find_library('asignify', has_headers:['asignify.h'], ++ required : get_option('asignify'), ++ static : get_option('buildstatic')) ++conf.set('HAVE_ASIGNIFY', asignify.found()) ++ ++ + want_crypto = get_option('crypto') + if want_crypto == 'openssl' + libcrypto = dependency('libcrypto', static : get_option('buildstatic'), +@@ -331,7 +337,7 @@ libcommon = static_library( + gnu_symbol_visibility : 'hidden', + install : false) + +-alpm_deps = [crypto_provider, libarchive, libcurl, libintl, gpgme] ++alpm_deps = [crypto_provider, libarchive, libcurl, libintl, gpgme, asignify] + + libalpm_a = static_library( + 'alpm_objlib', +@@ -496,6 +502,7 @@ message('\n '.join([ + ' debug build : @0@'.format(get_option('buildtype') == 'debug'), + ' Use libcurl : @0@'.format(conf.get('HAVE_LIBCURL')), + ' Use GPGME : @0@'.format(conf.get('HAVE_LIBGPGME')), ++ ' Use asignify : @0@'.format(conf.get('HAVE_ASIGNIFY')), + ' Use OpenSSL : @0@'.format(conf.has('HAVE_LIBSSL') and + conf.get('HAVE_LIBSSL') == 1), + ' Use nettle : @0@'.format(conf.has('HAVE_LIBNETTLE') and +diff --git a/meson_options.txt b/meson_options.txt +index d004002..ce8546c 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -51,6 +51,9 @@ option('crypto', type : 'combo', choices : ['openssl', 'nettle'], + option('gpgme', type : 'feature', value : 'auto', + description : 'use GPGME for PGP signature verification') + ++option('asignify', type : 'feature', value : 'auto', ++ description : 'use asignify for signature verification') ++ + option('i18n', type : 'boolean', value : true, + description : 'enable localization of pacman, libalpm and scripts') + +-- +2.44.0 + diff --git a/PKGBUILD b/PKGBUILD index efe1f5f..eaa28fb 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,23 +1,34 @@ pkgname=pacman pkgver=6.1.0 -pkgrel=2 +pkgrel=5 arch=('armv7h') license=('unknown') source=("$pkgname-release-6.1.x.tar.gz" + "0001-Initial-asignify-support.patch" "makepkg.conf" "pacman.conf") -depends=(bash glibc libarchive curl gettext gawk coreutils grep openssl) +depends=(bash glibc libarchive curl gettext gawk coreutils grep openssl asignify) makedepends=(meson) provides=('libalpm.so') backup=(etc/pacman.conf etc/makepkg.conf) +prepare() { + cd "$pkgname-release-6.1.x" + patch -Np1 -i ../0001-Initial-asignify-support.patch +} + build() { cd "$pkgname-release-6.1.x" mkdir -p build cd build meson --prefix=/usr \ - -Dcrypto=openssl + -Dcrypto=openssl \ + -Dgpgme=disabled \ + -Dasignify=enabled \ + -Ddebug-suffix=dbginfo + # "-debug-" clashes with some package(s) (ruby-debug IIRC) + ninja } @@ -27,5 +38,6 @@ package() { cp "$srcdir"/{makepkg,pacman}.conf "$pkgdir"/etc } sha256sums=('b15679b7b751992d8d8f2acfa94f0c381d71d8289e5ac9f89cb6ddb88306c788' - '9f384b880aa12a69f80ff3f727f082fbb5a31fb8be3989c470f5661be4f66ee6' + '6303db37b0b91953228e8a11d1bf4984b2514cbe9713588da8bd646375ae0e15' + '09afbfea3e7f0aa971edbda63633551fc0a332056cae1756f3f60b90dc065ac3' 'ea7d565cb3bf054af947ba51df2c1567030572755fc8caa66d7f869a97bb27e5')