4 * Copyright (c) 2008-2011 Pacman Development Team <pacman-dev@archlinux.org>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include <locale.h> /* setlocale() */
41 #define CHECK_ERR(void) do { \
42 if(gpg_err_code(err) != GPG_ERR_NO_ERROR) { goto error; } \
45 static const char *string_validity(gpgme_validity_t validity
)
48 case GPGME_VALIDITY_UNKNOWN
:
50 case GPGME_VALIDITY_UNDEFINED
:
52 case GPGME_VALIDITY_NEVER
:
54 case GPGME_VALIDITY_MARGINAL
:
56 case GPGME_VALIDITY_FULL
:
58 case GPGME_VALIDITY_ULTIMATE
:
64 static void sigsum_test_bit(gpgme_sigsum_t sigsum
, alpm_list_t
**summary
,
65 gpgme_sigsum_t bit
, const char *value
)
68 *summary
= alpm_list_add(*summary
, (void *)value
);
72 static alpm_list_t
*list_sigsum(gpgme_sigsum_t sigsum
)
74 alpm_list_t
*summary
= NULL
;
75 /* The docs say this can be a bitmask...not sure I believe it, but we'll code
76 * for it anyway and show all possible flags in the returned string. */
78 /* The signature is fully valid. */
79 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_VALID
, "valid");
80 /* The signature is good. */
81 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_GREEN
, "green");
82 /* The signature is bad. */
83 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_RED
, "red");
84 /* One key has been revoked. */
85 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_KEY_REVOKED
, "key revoked");
86 /* One key has expired. */
87 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_KEY_EXPIRED
, "key expired");
88 /* The signature has expired. */
89 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_SIG_EXPIRED
, "sig expired");
90 /* Can't verify: key missing. */
91 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_KEY_MISSING
, "key missing");
92 /* CRL not available. */
93 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_CRL_MISSING
, "crl missing");
94 /* Available CRL is too old. */
95 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_CRL_TOO_OLD
, "crl too old");
96 /* A policy was not met. */
97 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_BAD_POLICY
, "bad policy");
98 /* A system error occured. */
99 sigsum_test_bit(sigsum
, &summary
, GPGME_SIGSUM_SYS_ERROR
, "sys error");
102 summary
= alpm_list_add(summary
, (void *)"(empty)");
107 static int init_gpgme(alpm_handle_t
*handle
)
110 const char *version
, *sigdir
;
112 gpgme_engine_info_t enginfo
;
115 /* we already successfully initialized the library */
119 sigdir
= alpm_option_get_gpgdir(handle
);
121 if (_alpm_access(handle
, sigdir
, "pubring.gpg", R_OK
)
122 || _alpm_access(handle
, sigdir
, "trustdb.gpg", R_OK
)) {
123 handle
->pm_errno
= ALPM_ERR_NOT_A_FILE
;
124 _alpm_log(handle
, ALPM_LOG_DEBUG
, "Signature verification will fail!\n");
127 /* calling gpgme_check_version() returns the current version and runs
128 * some internal library setup code */
129 version
= gpgme_check_version(NULL
);
130 _alpm_log(handle
, ALPM_LOG_DEBUG
, "GPGME version: %s\n", version
);
131 gpgme_set_locale(NULL
, LC_CTYPE
, setlocale(LC_CTYPE
, NULL
));
133 gpgme_set_locale(NULL
, LC_MESSAGES
, setlocale(LC_MESSAGES
, NULL
));
136 * The GPGME library installs a SIGPIPE signal handler automatically if
137 * the default signal hander is in use. The only time we set a handler
138 * for SIGPIPE is in dload.c, and we reset it when we are done. Given that
139 * we do this, we can let GPGME do its automagic. However, if we install
140 * a library-wide SIGPIPE handler, we will have to be careful.
143 /* check for OpenPGP support (should be a no-brainer, but be safe) */
144 err
= gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP
);
147 /* set and check engine information */
148 err
= gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP
, NULL
, sigdir
);
150 err
= gpgme_get_engine_info(&enginfo
);
152 _alpm_log(handle
, ALPM_LOG_DEBUG
, "GPGME engine info: file=%s, home=%s\n",
153 enginfo
->file_name
, enginfo
->home_dir
);
159 _alpm_log(handle
, ALPM_LOG_ERROR
, _("GPGME error: %s\n"), gpgme_strerror(err
));
160 RET_ERR(handle
, ALPM_ERR_GPGME
, 1);
164 * Decode a loaded signature in base64 form.
165 * @param base64_data the signature to attempt to decode
166 * @param data the decoded data; must be freed by the caller
167 * @param data_len the length of the returned data
168 * @return 0 on success, 1 on failure to properly decode
170 static int decode_signature(const char *base64_data
,
171 unsigned char **data
, size_t *data_len
) {
172 size_t len
= strlen(base64_data
);
173 unsigned char *usline
= (unsigned char *)base64_data
;
174 /* reasonable allocation of expected length is 3/4 of encoded length */
175 size_t destlen
= len
* 3 / 4;
176 MALLOC(*data
, destlen
, goto error
);
177 if(base64_decode(*data
, &destlen
, usline
, len
)) {
190 * Check the PGP signature for the given file path.
191 * If base64_sig is provided, it will be used as the signature data after
192 * decoding. If base64_sig is NULL, expect a signature file next to path
195 * The return value will be 0 if nothing abnormal happened during the signature
196 * check, and -1 if an error occurred while checking signatures or if a
197 * signature could not be found; pm_errno will be set. Note that "abnormal"
198 * does not include a failed signature; the value in #result should be checked
199 * to determine if the signature(s) are good.
200 * @param handle the context handle
201 * @param path the full path to a file
202 * @param base64_sig optional PGP signature data in base64 encoding
204 * @return 0 in normal cases, -1 if the something failed in the check process
206 int _alpm_gpgme_checksig(alpm_handle_t
*handle
, const char *path
,
207 const char *base64_sig
, alpm_sigresult_t
*result
)
209 int ret
= -1, sigcount
;
212 gpgme_data_t filedata
, sigdata
;
213 gpgme_verify_result_t verify_result
;
214 gpgme_signature_t gpgsig
;
215 char *sigpath
= NULL
;
216 unsigned char *decoded_sigdata
= NULL
;
217 FILE *file
= NULL
, *sigfile
= NULL
;
219 if(!path
|| _alpm_access(handle
, NULL
, path
, R_OK
) != 0) {
220 RET_ERR(handle
, ALPM_ERR_NOT_A_FILE
, -1);
224 RET_ERR(handle
, ALPM_ERR_WRONG_ARGS
, -1);
229 sigpath
= _alpm_sigpath(handle
, path
);
230 /* this will just help debugging */
231 _alpm_access(handle
, NULL
, sigpath
, R_OK
);
234 if(init_gpgme(handle
)) {
235 /* pm_errno was set in gpgme_init() */
239 _alpm_log(handle
, ALPM_LOG_DEBUG
, "checking signature for %s\n", path
);
241 memset(&ctx
, 0, sizeof(ctx
));
242 memset(&sigdata
, 0, sizeof(sigdata
));
243 memset(&filedata
, 0, sizeof(filedata
));
245 err
= gpgme_new(&ctx
);
248 /* create our necessary data objects to verify the signature */
249 file
= fopen(path
, "rb");
251 handle
->pm_errno
= ALPM_ERR_NOT_A_FILE
;
254 err
= gpgme_data_new_from_stream(&filedata
, file
);
257 /* next create data object for the signature */
259 /* memory-based, we loaded it from a sync DB */
261 int decode_ret
= decode_signature(base64_sig
,
262 &decoded_sigdata
, &data_len
);
264 handle
->pm_errno
= ALPM_ERR_SIG_INVALID
;
267 err
= gpgme_data_new_from_mem(&sigdata
,
268 (char *)decoded_sigdata
, data_len
, 0);
270 /* file-based, it is on disk */
271 sigfile
= fopen(sigpath
, "rb");
272 if(sigfile
== NULL
) {
273 _alpm_log(handle
, ALPM_LOG_DEBUG
, "sig path %s could not be opened\n",
275 handle
->pm_errno
= ALPM_ERR_SIG_MISSING
;
278 err
= gpgme_data_new_from_stream(&sigdata
, sigfile
);
282 /* here's where the magic happens */
283 err
= gpgme_op_verify(ctx
, sigdata
, filedata
, NULL
);
285 verify_result
= gpgme_op_verify_result(ctx
);
287 if(!verify_result
|| !verify_result
->signatures
) {
288 _alpm_log(handle
, ALPM_LOG_DEBUG
, "no signatures returned\n");
289 handle
->pm_errno
= ALPM_ERR_SIG_MISSING
;
292 for(gpgsig
= verify_result
->signatures
, sigcount
= 0;
293 gpgsig
; gpgsig
= gpgsig
->next
, sigcount
++);
294 _alpm_log(handle
, ALPM_LOG_DEBUG
, "%d signatures returned\n", sigcount
);
296 result
->status
= calloc(sigcount
, sizeof(alpm_sigstatus_t
));
297 result
->validity
= calloc(sigcount
, sizeof(alpm_sigvalidity_t
));
298 result
->uid
= calloc(sigcount
, sizeof(char*));
299 if(!result
->status
|| !result
->validity
|| !result
->uid
) {
300 handle
->pm_errno
= ALPM_ERR_MEMORY
;
303 result
->count
= sigcount
;
305 for(gpgsig
= verify_result
->signatures
, sigcount
= 0; gpgsig
;
306 gpgsig
= gpgsig
->next
, sigcount
++) {
307 alpm_list_t
*summary_list
, *summary
;
308 alpm_sigstatus_t status
;
309 alpm_sigvalidity_t validity
;
312 _alpm_log(handle
, ALPM_LOG_DEBUG
, "fingerprint: %s\n", gpgsig
->fpr
);
313 summary_list
= list_sigsum(gpgsig
->summary
);
314 for(summary
= summary_list
; summary
; summary
= summary
->next
) {
315 _alpm_log(handle
, ALPM_LOG_DEBUG
, "summary: %s\n", (const char *)summary
->data
);
317 alpm_list_free(summary_list
);
318 _alpm_log(handle
, ALPM_LOG_DEBUG
, "status: %s\n", gpgme_strerror(gpgsig
->status
));
319 _alpm_log(handle
, ALPM_LOG_DEBUG
, "timestamp: %lu\n", gpgsig
->timestamp
);
320 _alpm_log(handle
, ALPM_LOG_DEBUG
, "exp_timestamp: %lu\n", gpgsig
->exp_timestamp
);
321 _alpm_log(handle
, ALPM_LOG_DEBUG
, "validity: %s; reason: %s\n",
322 string_validity(gpgsig
->validity
),
323 gpgme_strerror(gpgsig
->validity_reason
));
325 err
= gpgme_get_key(ctx
, gpgsig
->fpr
, &key
, 0);
326 if(gpg_err_code(err
) == GPG_ERR_EOF
) {
327 _alpm_log(handle
, ALPM_LOG_DEBUG
, "key lookup failed, unknown key\n");
328 err
= GPG_ERR_NO_ERROR
;
329 STRDUP(result
->uid
[sigcount
], gpgsig
->fpr
,
330 handle
->pm_errno
= ALPM_ERR_MEMORY
; goto error
);
334 const char *uid
= key
->uids
->uid
;
335 STRDUP(result
->uid
[sigcount
], uid
,
336 handle
->pm_errno
= ALPM_ERR_MEMORY
; goto error
);
337 _alpm_log(handle
, ALPM_LOG_DEBUG
, "key user: %s\n", uid
);
339 gpgme_key_unref(key
);
342 switch(gpg_err_code(gpgsig
->status
)) {
344 case GPG_ERR_NO_ERROR
:
345 status
= ALPM_SIGSTATUS_VALID
;
347 case GPG_ERR_KEY_EXPIRED
:
348 status
= ALPM_SIGSTATUS_KEY_EXPIRED
;
351 case GPG_ERR_SIG_EXPIRED
:
352 status
= ALPM_SIGSTATUS_SIG_EXPIRED
;
354 case GPG_ERR_NO_PUBKEY
:
355 status
= ALPM_SIGSTATUS_KEY_UNKNOWN
;
357 case GPG_ERR_BAD_SIGNATURE
:
359 status
= ALPM_SIGSTATUS_INVALID
;
363 if(status
== ALPM_SIGSTATUS_VALID
364 || status
== ALPM_SIGSTATUS_KEY_EXPIRED
) {
365 switch(gpgsig
->validity
) {
366 case GPGME_VALIDITY_ULTIMATE
:
367 case GPGME_VALIDITY_FULL
:
368 validity
= ALPM_SIGVALIDITY_FULL
;
370 case GPGME_VALIDITY_MARGINAL
:
371 validity
= ALPM_SIGVALIDITY_MARGINAL
;
373 case GPGME_VALIDITY_NEVER
:
374 validity
= ALPM_SIGVALIDITY_NEVER
;
376 case GPGME_VALIDITY_UNKNOWN
:
377 case GPGME_VALIDITY_UNDEFINED
:
379 validity
= ALPM_SIGVALIDITY_UNKNOWN
;
383 validity
= ALPM_SIGVALIDITY_NEVER
;
386 result
->status
[sigcount
] = status
;
387 result
->validity
[sigcount
] = validity
;
393 gpgme_data_release(sigdata
);
394 gpgme_data_release(filedata
);
403 FREE(decoded_sigdata
);
404 if(gpg_err_code(err
) != GPG_ERR_NO_ERROR
) {
405 _alpm_log(handle
, ALPM_LOG_ERROR
, _("GPGME error: %s\n"), gpgme_strerror(err
));
406 RET_ERR(handle
, ALPM_ERR_GPGME
, -1);
411 int _alpm_gpgme_checksig(alpm_handle_t UNUSED
*handle
, const char UNUSED
*path
,
412 const char UNUSED
*base64_sig
, alpm_sigresult_t UNUSED
*result
)
419 * Form a signature path given a file path.
420 * Caller must free the result.
421 * @param handle the context handle
422 * @param path the full path to a file
423 * @return the path with '.sig' appended, NULL on errors
425 char *_alpm_sigpath(alpm_handle_t
*handle
, const char *path
)
433 len
= strlen(path
) + 5;
434 CALLOC(sigpath
, len
, sizeof(char), RET_ERR(handle
, ALPM_ERR_MEMORY
, NULL
));
435 sprintf(sigpath
, "%s.sig", path
);
439 int _alpm_check_pgp_helper(alpm_handle_t
*handle
, const char *path
,
440 const char *base64_sig
, int optional
, int marginal
, int unknown
,
441 enum _alpm_errno_t invalid_err
)
443 alpm_sigresult_t result
;
446 memset(&result
, 0, sizeof(result
));
448 _alpm_log(handle
, ALPM_LOG_DEBUG
, "checking signatures for %s\n", path
);
449 ret
= _alpm_gpgme_checksig(handle
, path
, base64_sig
, &result
);
450 if(ret
&& handle
->pm_errno
== ALPM_ERR_SIG_MISSING
) {
452 _alpm_log(handle
, ALPM_LOG_DEBUG
, "missing optional signature\n");
453 handle
->pm_errno
= 0;
456 _alpm_log(handle
, ALPM_LOG_DEBUG
, "missing required signature\n");
457 /* ret will already be -1 */
460 _alpm_log(handle
, ALPM_LOG_DEBUG
, "signature check failed\n");
461 /* ret will already be -1 */
464 for(num
= 0; !ret
&& num
< result
.count
; num
++) {
465 switch(result
.status
[num
]) {
466 case ALPM_SIGSTATUS_VALID
:
467 case ALPM_SIGSTATUS_KEY_EXPIRED
:
468 _alpm_log(handle
, ALPM_LOG_DEBUG
, "signature is valid\n");
469 switch(result
.validity
[num
]) {
470 case ALPM_SIGVALIDITY_FULL
:
471 _alpm_log(handle
, ALPM_LOG_DEBUG
, "signature is fully trusted\n");
473 case ALPM_SIGVALIDITY_MARGINAL
:
474 _alpm_log(handle
, ALPM_LOG_DEBUG
, "signature is marginal trust\n");
479 case ALPM_SIGVALIDITY_UNKNOWN
:
480 _alpm_log(handle
, ALPM_LOG_DEBUG
, "signature is unknown trust\n");
485 case ALPM_SIGVALIDITY_NEVER
:
486 _alpm_log(handle
, ALPM_LOG_DEBUG
, "signature should never be trusted\n");
491 case ALPM_SIGSTATUS_SIG_EXPIRED
:
492 case ALPM_SIGSTATUS_KEY_UNKNOWN
:
493 case ALPM_SIGSTATUS_INVALID
:
494 _alpm_log(handle
, ALPM_LOG_DEBUG
, "signature is not valid\n");
501 handle
->pm_errno
= invalid_err
;
505 alpm_sigresult_cleanup(&result
);
510 * Check the PGP signature for the given package file.
511 * @param pkg the package to check
512 * @return a int value : 0 (valid), 1 (invalid), -1 (an error occurred)
514 int SYMEXPORT
alpm_pkg_check_pgp_signature(alpm_pkg_t
*pkg
,
515 alpm_sigresult_t
*result
)
517 ASSERT(pkg
!= NULL
, return -1);
518 ASSERT(result
!= NULL
, RET_ERR(pkg
->handle
, ALPM_ERR_WRONG_ARGS
, -1));
519 pkg
->handle
->pm_errno
= 0;
521 return _alpm_gpgme_checksig(pkg
->handle
, alpm_pkg_get_filename(pkg
),
522 pkg
->base64_sig
, result
);
526 * Check the PGP signature for the given database.
527 * @param db the database to check
528 * @return a int value : 0 (valid), 1 (invalid), -1 (an error occurred)
530 int SYMEXPORT
alpm_db_check_pgp_signature(alpm_db_t
*db
,
531 alpm_sigresult_t
*result
)
533 ASSERT(db
!= NULL
, return -1);
534 ASSERT(result
!= NULL
, RET_ERR(db
->handle
, ALPM_ERR_WRONG_ARGS
, -1));
535 db
->handle
->pm_errno
= 0;
537 return _alpm_gpgme_checksig(db
->handle
, _alpm_db_path(db
), NULL
, result
);
540 int SYMEXPORT
alpm_sigresult_cleanup(alpm_sigresult_t
*result
)
542 ASSERT(result
!= NULL
, return -1);
543 /* Because it is likely result is on the stack, uid and status may have bogus
544 * values in the struct. Only look at them if count is greater than 0. */
545 if(result
->count
> 0) {
546 free(result
->status
);
549 for(i
= 0; i
< result
->count
; i
++) {
550 free(result
->uid
[i
]);
558 /* vim: set ts=2 sw=2 noet: */