This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 3e29608f826cb86244295697951ec0976345705e (commit) from 36600cef36577ca36d4349bc7658a68234311ea2 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 3e29608f826cb86244295697951ec0976345705e Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 2 15:45:48 2018 +0100
pakfire: Validate signatures when multiple are available
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: src/pakfire/lib/functions.pl | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-)
Difference in files: diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index 78761aef6..dd4007a44 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -35,6 +35,13 @@ use Switch;
package Pakfire;
+my @VALID_KEY_FINGERPRINTS = ( + # 2018 + "3ECA8AA4478208B924BB96206FEF7A8ED713594B", + # 2007 + "179740DC4D8C47DC63C099C74BDE364C64D96617", +); + # A small color-hash :D my %color; $color{'normal'} = "\033[0m"; @@ -215,7 +222,7 @@ sub fetchfile { print FILE $final_data; close(FILE); logger("DOWNLOAD INFO: File received. Start checking signature..."); - if (system("gpg --verify "$Conf::tmpdir/$bfile" &>/dev/null") eq 0) { + if (&valid_signature("$Conf::tmpdir/$bfile")) { logger("DOWNLOAD INFO: Signature of $bfile is fine."); move("$Conf::tmpdir/$bfile","$Conf::cachedir/$bfile"); } else { @@ -288,6 +295,25 @@ sub getcoredb { } }
+sub valid_signature($) { + my $filename = shift; + + open(my $cmd, "gpg --verify --status-fd 1 "$filename" 2>/dev/null |"); + while (<$cmd>) { + # Process valid signature lines + if (/VALIDSIG ([A-Z0-9]+)/) { + # Check if we know the key + foreach my $key (@VALID_KEY_FINGERPRINTS) { + # Signature is valid + return 1 if ($key eq $1); + } + } + } + close($cmd); + + # Signature is invalid + return 0; +}
sub selectmirror { ### Check if there is a current server list and read it.
hooks/post-receive -- IPFire 2.x development tree