check when finished downloading the InRelease file if it has the expected gpg clearsign signature and if not download Release/Release.gpg instead

author: Michael Vogt <michael.vogt@ubuntu.com> 2012-06-21 12:32:56 +0200
committer: Michael Vogt <michael.vogt@ubuntu.com> 2012-06-21 12:32:56 +0200
commit: 0854ad8b8016d0132741a267492d72cfa0d3bd8e (patch)
tree: f5f3b55c020a2651c35602322253b86b5481cecb /apt-pkg/acquire-item.cc
parent: 2448a064f33c66d4f698375d30b87201a5a3b103 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index a30e98858..9723cddac 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1235,9 +1235,17 @@ void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,string Hash,	/
       }
       else
       {
+         // if we expect a ClearTextSignature (InRelase), ensure that
+         // this is what we get and if not fail to queue a 
+         // Release/Release.gpg, see #346386
+         if (SigFile == DestFile && !IsPgpClearTextSignature(DestFile))
+         {
+            Failed(Message, Cfg);
+            return;
+         }
+
          // There was a signature file, so pass it to gpgv for
          // verification
-
          if (_config->FindB("Debug::pkgAcquire::Auth", false))
             std::cerr << "Metaindex acquired, queueing gpg verification ("
                       << SigFile << "," << DestFile << ")\n";
author	Michael Vogt <michael.vogt@ubuntu.com>	2012-06-21 12:32:56 +0200
committer	Michael Vogt <michael.vogt@ubuntu.com>	2012-06-21 12:32:56 +0200
commit	0854ad8b8016d0132741a267492d72cfa0d3bd8e (patch)
tree	f5f3b55c020a2651c35602322253b86b5481cecb /apt-pkg/acquire-item.cc
parent	2448a064f33c66d4f698375d30b87201a5a3b103 (diff)