summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--apt-pkg/acquire-item.cc272
-rw-r--r--apt-pkg/acquire-item.h64
-rwxr-xr-xtest/integration/test-apt-update-ims26
3 files changed, 149 insertions, 213 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index d1cf53fd5..6c04288a8 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1608,62 +1608,24 @@ void pkgAcqMetaSig::Done(string Message,unsigned long long Size,
if(AuthPass == false)
{
- // queue for verify, note that we change DestFile here to point to
- // the file we want to verify (needed to make gpgv work)
-
- string FileName = LookupTag(Message,"Filename");
- if (FileName.empty() == true)
- {
- Status = StatError;
- ErrorText = "Method gave a blank filename";
- return;
- }
-
- if (FileName != DestFile)
- {
- // We have to copy it into place
- Local = true;
- Desc.URI = "copy:" + FileName;
- QueueURI(Desc);
- return;
- }
-
- if(StringToBool(LookupTag(Message,"IMS-Hit"),false) == true)
+ if(CheckDownloadDone(Message, RealURI) == true)
{
- IMSHit = true;
- // adjust DestFile on i-m-s hit to the one we already have on disk
- DestFile = _config->FindDir("Dir::State::lists");
- DestFile += URItoFileName(RealURI);
+ // destfile will be modified to point to MetaIndexFile for the
+ // gpgv method, so we need to save it here
+ MetaIndexFileSignature = DestFile;
+ QueueForSignatureVerify(MetaIndexFile, MetaIndexFileSignature);
}
-
- // this is the file we verify from
- MetaIndexFileSignature = DestFile;
-
- AuthPass = true;
- Desc.URI = "gpgv:" + MetaIndexFileSignature;
- DestFile = MetaIndexFile;
- QueueURI(Desc);
- SetActiveSubprocess("gpgv");
return;
}
else
{
- // verify was successful
-
- // we parse the MetaIndexFile here (and not right after getting
- // the pkgAcqMetaIndex) because at this point we can trust the data
- //
- // load indexes and queue further downloads
- MetaIndexParser->Load(MetaIndexFile);
- QueueIndexes(true);
-
- // DestFile points to the the MetaIndeFile at this point, make it
- // point back to the Release.gpg file
- std::string FinalFile = _config->FindDir("Dir::State::lists");
- FinalFile += URItoFileName(RealURI);
- TransactionManager->TransactionStageCopy(this, MetaIndexFileSignature, FinalFile);
+ if(AuthDone(Message, RealURI) == true)
+ {
+ std::string FinalFile = _config->FindDir("Dir::State::lists");
+ FinalFile += URItoFileName(RealURI);
- Complete = true;
+ TransactionManager->TransactionStageCopy(this, MetaIndexFileSignature, FinalFile);
+ }
}
}
/*}}}*/
@@ -1796,57 +1758,78 @@ string pkgAcqMetaIndex::Custom600Headers() const
return "\nIndex-File: true\nLast-Modified: " + TimeRFC1123(Buf.st_mtime);
}
/*}}}*/
-void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,HashStringList const &Hashes, /*{{{*/
+void pkgAcqMetaIndex::Done(string Message,unsigned long long Size, /*{{{*/
+ HashStringList const &Hashes,
pkgAcquire::MethodConfig *Cfg)
{
Item::Done(Message,Size,Hashes,Cfg);
- // MetaIndexes are done in two passes: one to download the
- // metaindex with an appropriate method, and a second to verify it
- // with the gpgv method
-
- if (AuthPass == true)
+ if(CheckDownloadDone(Message, RealURI))
{
- AuthDone(Message);
+ // we have a Release file, now download the Signature, all further
+ // verify/queue for additional downloads will be done in the
+ // pkgAcqMetaSig::Done() code
+ std::string MetaIndexFile = DestFile;
+ new pkgAcqMetaSig(Owner, TransactionManager,
+ MetaIndexSigURI, MetaIndexSigURIDesc,
+ MetaIndexSigShortDesc, MetaIndexFile, IndexTargets,
+ MetaIndexParser);
- // all cool, move Release file into place
- Complete = true;
+ string FinalFile = _config->FindDir("Dir::State::lists");
+ FinalFile += URItoFileName(RealURI);
+ TransactionManager->TransactionStageCopy(this, DestFile, FinalFile);
}
- else
- {
- RetrievalDone(Message);
- if (!Complete)
- // Still more retrieving to do
- return;
+}
+ /*}}}*/
+bool pkgAcqMetaBase::AuthDone(string Message, const string &RealURI) /*{{{*/
+{
+ // At this point, the gpgv method has succeeded, so there is a
+ // valid signature from a key in the trusted keyring. We
+ // perform additional verification of its contents, and use them
+ // to verify the indexes we are about to download
- if (SigFile != "")
- {
- // There was a signature file, so pass it to gpgv for
- // verification
- if (_config->FindB("Debug::pkgAcquire::Auth", false))
- std::cerr << "Metaindex acquired, queueing gpg verification ("
- << SigFile << "," << DestFile << ")\n";
- AuthPass = true;
- Desc.URI = "gpgv:" + SigFile;
- QueueURI(Desc);
- SetActiveSubprocess("gpgv");
- return;
- }
+ if (!MetaIndexParser->Load(DestFile))
+ {
+ Status = StatAuthError;
+ ErrorText = MetaIndexParser->ErrorText;
+ return false;
}
- if (Complete == true)
+ if (!VerifyVendor(Message, RealURI))
{
- string FinalFile = _config->FindDir("Dir::State::lists");
- FinalFile += URItoFileName(RealURI);
- if (SigFile == DestFile)
- SigFile = FinalFile;
-
- // queue for copy in place
- TransactionManager->TransactionStageCopy(this, DestFile, FinalFile);
+ return false;
}
+
+ if (_config->FindB("Debug::pkgAcquire::Auth", false))
+ std::cerr << "Signature verification succeeded: "
+ << DestFile << std::endl;
+
+ // Download further indexes with verification
+ //
+ // it would be really nice if we could simply do
+ // if (IMSHit == false) QueueIndexes(true)
+ // and skip the download if the Release file has not changed
+ // - but right now the list cleaner will needs to be tricked
+ // to not delete all our packages/source indexes in this case
+ QueueIndexes(true);
+
+ return true;
+}
+ /*}}}*/
+ /*{{{*/
+void pkgAcqMetaBase::QueueForSignatureVerify(const std::string &MetaIndexFile,
+ const std::string &MetaIndexFileSignature)
+{
+ AuthPass = true;
+ Desc.URI = "gpgv:" + MetaIndexFileSignature;
+ DestFile = MetaIndexFile;
+ QueueURI(Desc);
+ SetActiveSubprocess("gpgv");
}
/*}}}*/
-void pkgAcqMetaIndex::RetrievalDone(string Message) /*{{{*/
+ /*{{{*/
+bool pkgAcqMetaBase::CheckDownloadDone(const std::string &Message,
+ const std::string &RealURI)
{
// We have just finished downloading a Release file (it is not
// verified yet)
@@ -1856,7 +1839,7 @@ void pkgAcqMetaIndex::RetrievalDone(string Message) /*{{{*/
{
Status = StatError;
ErrorText = "Method gave a blank filename";
- return;
+ return false;
}
if (FileName != DestFile)
@@ -1864,7 +1847,7 @@ void pkgAcqMetaIndex::RetrievalDone(string Message) /*{{{*/
Local = true;
Desc.URI = "copy:" + FileName;
QueueURI(Desc);
- return;
+ return false;
}
// make sure to verify against the right file on I-M-S hit
@@ -1873,101 +1856,13 @@ void pkgAcqMetaIndex::RetrievalDone(string Message) /*{{{*/
{
string FinalFile = _config->FindDir("Dir::State::lists");
FinalFile += URItoFileName(RealURI);
- if (SigFile == DestFile)
- {
- SigFile = FinalFile;
-#if 0
- // constructor of pkgAcqMetaClearSig moved it out of the way,
- // now move it back in on IMS hit for the 'old' file
- string const OldClearSig = DestFile + ".reverify";
- if (RealFileExists(OldClearSig) == true)
- Rename(OldClearSig, FinalFile);
-#endif
- }
DestFile = FinalFile;
}
- // queue a signature
- if(SigFile != DestFile)
- new pkgAcqMetaSig(Owner, TransactionManager,
- MetaIndexSigURI, MetaIndexSigURIDesc,
- MetaIndexSigShortDesc, DestFile, IndexTargets,
- MetaIndexParser);
-
+ // set Item to complete as the remaining work is all local (verify etc)
Complete = true;
-}
- /*}}}*/
-void pkgAcqMetaIndex::AuthDone(string Message) /*{{{*/
-{
- // At this point, the gpgv method has succeeded, so there is a
- // valid signature from a key in the trusted keyring. We
- // perform additional verification of its contents, and use them
- // to verify the indexes we are about to download
-
- if (!MetaIndexParser->Load(DestFile))
- {
- Status = StatAuthError;
- ErrorText = MetaIndexParser->ErrorText;
- return;
- }
-
- if (!VerifyVendor(Message))
- {
- return;
- }
-
- if (_config->FindB("Debug::pkgAcquire::Auth", false))
- std::cerr << "Signature verification succeeded: "
- << DestFile << std::endl;
-// we ensure this by other means
-#if 0
- // do not trust any previously unverified content that we may have
- string LastGoodSigFile = _config->FindDir("Dir::State::lists").append("partial/").append(URItoFileName(RealURI));
- if (DestFile != SigFile)
- LastGoodSigFile.append(".gpg");
- LastGoodSigFile.append(".reverify");
- if(IMSHit == false && RealFileExists(LastGoodSigFile) == false)
- {
- for (vector <struct IndexTarget*>::const_iterator Target = IndexTargets->begin();
- Target != IndexTargets->end();
- ++Target)
- {
- // remove old indexes
- std::string index = _config->FindDir("Dir::State::lists") +
- URItoFileName((*Target)->URI);
- unlink(index.c_str());
- // and also old gzipindexes
- std::vector<std::string> types = APT::Configuration::getCompressionTypes();
- for (std::vector<std::string>::const_iterator t = types.begin(); t != types.end(); ++t)
- {
- index += '.' + (*t);
- unlink(index.c_str());
- }
- }
- }
-#endif
-
- // Download further indexes with verification
- //
- // it would be really nice if we could simply do
- // if (IMSHit == false) QueueIndexes(true)
- // and skip the download if the Release file has not changed
- // - but right now the list cleaner will needs to be tricked
- // to not delete all our packages/source indexes in this case
- QueueIndexes(true);
-
-#if 0
- // is it a clearsigned MetaIndex file?
- if (DestFile == SigFile)
- return;
-
- // Done, move signature file into position
- string VerifiedSigFile = _config->FindDir("Dir::State::lists") +
- URItoFileName(RealURI) + ".gpg";
- Rename(SigFile,VerifiedSigFile);
- chmod(VerifiedSigFile.c_str(),0644);
-#endif
+ return true;
}
/*}}}*/
void pkgAcqMetaBase::QueueIndexes(bool verify) /*{{{*/
@@ -2056,7 +1951,7 @@ void pkgAcqMetaBase::QueueIndexes(bool verify) /*{{{*/
}
}
/*}}}*/
-bool pkgAcqMetaIndex::VerifyVendor(string Message) /*{{{*/
+bool pkgAcqMetaBase::VerifyVendor(string Message, const string &RealURI)/*{{{*/
{
string::size_type pos;
@@ -2273,7 +2168,24 @@ void pkgAcqMetaClearSig::Done(std::string Message,unsigned long long Size,
TransactionManager->AbortTransaction();
return;
}
- pkgAcqMetaIndex::Done(Message, Size, Hashes, Cnf);
+
+ if(AuthPass == false)
+ {
+ if(CheckDownloadDone(Message, RealURI) == true)
+ QueueForSignatureVerify(DestFile, DestFile);
+ return;
+ }
+ else
+ {
+ if(AuthDone(Message, RealURI) == true)
+ {
+ string FinalFile = _config->FindDir("Dir::State::lists");
+ FinalFile += URItoFileName(RealURI);
+
+ // queue for copy in place
+ TransactionManager->TransactionStageCopy(this, DestFile, FinalFile);
+ }
+ }
}
/*}}}*/
void pkgAcqMetaClearSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*{{{*/
diff --git a/apt-pkg/acquire-item.h b/apt-pkg/acquire-item.h
index bab2cc0d7..f12f57262 100644
--- a/apt-pkg/acquire-item.h
+++ b/apt-pkg/acquire-item.h
@@ -385,6 +385,41 @@ class pkgAcqMetaBase : public pkgAcquire::Item
*/
void QueueIndexes(bool verify);
+
+ /** \brief Called when a file is finished being retrieved.
+ *
+ * If the file was not downloaded to DestFile, a copy process is
+ * set up to copy it to DestFile; otherwise, Complete is set to \b
+ * true and the file is moved to its final location.
+ *
+ * \param Message The message block received from the fetch
+ * subprocess.
+ */
+ bool CheckDownloadDone(const std::string &Message,
+ const std::string &RealURI);
+
+ /** \brief Queue the downloaded Signature for verification */
+ void QueueForSignatureVerify(const std::string &MetaIndexFile,
+ const std::string &MetaIndexFileSignature);
+
+ /** \brief Called when authentication succeeded.
+ *
+ * Sanity-checks the authenticated file, queues up the individual
+ * index files for download, and saves the signature in the lists
+ * directory next to the authenticated list file.
+ *
+ * \param Message The message block received from the fetch
+ * subprocess.
+ */
+ bool AuthDone(std::string Message, const std::string &RealURI);
+
+ /** \brief Check that the release file is a release file for the
+ * correct distribution.
+ *
+ * \return \b true if no fatal errors were encountered.
+ */
+ bool VerifyVendor(std::string Message, const std::string &RealURI);
+
public:
// transaction code
void Add(Item *I);
@@ -496,35 +531,6 @@ class pkgAcqMetaIndex : public pkgAcqMetaBase
*/
std::string SigFile;
- /** \brief Check that the release file is a release file for the
- * correct distribution.
- *
- * \return \b true if no fatal errors were encountered.
- */
- bool VerifyVendor(std::string Message);
-
- /** \brief Called when a file is finished being retrieved.
- *
- * If the file was not downloaded to DestFile, a copy process is
- * set up to copy it to DestFile; otherwise, Complete is set to \b
- * true and the file is moved to its final location.
- *
- * \param Message The message block received from the fetch
- * subprocess.
- */
- void RetrievalDone(std::string Message);
-
- /** \brief Called when authentication succeeded.
- *
- * Sanity-checks the authenticated file, queues up the individual
- * index files for download, and saves the signature in the lists
- * directory next to the authenticated list file.
- *
- * \param Message The message block received from the fetch
- * subprocess.
- */
- void AuthDone(std::string Message);
-
std::string URIDesc;
std::string ShortDesc;
diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims
index 38dcd73fd..61b808b0f 100755
--- a/test/integration/test-apt-update-ims
+++ b/test/integration/test-apt-update-ims
@@ -30,6 +30,7 @@ runtest() {
testfailure ls "rootdir/var/lib/apt/lists/partial/*"
}
+msgmsg "InRelease"
EXPECT="Hit http://localhost:8080 unstable InRelease
Hit http://localhost:8080 unstable/main Sources
Hit http://localhost:8080 unstable/main amd64 Packages
@@ -42,14 +43,11 @@ runtest
echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex
runtest
-# FIXME: how can we get rid of this extra line
-# "Get:1 http://localhost:8080 unstable Release.gpg"
-#
+msgmsg "Release/Release.gpg"
# with Release/Release.gpg
EXPECT="Ign http://localhost:8080 unstable InRelease
Hit http://localhost:8080 unstable Release
Hit http://localhost:8080 unstable Release.gpg
-Get:1 http://localhost:8080 unstable Release.gpg
Hit http://localhost:8080 unstable/main Sources
Hit http://localhost:8080 unstable/main amd64 Packages
Hit http://localhost:8080 unstable/main Translation-en
@@ -62,3 +60,23 @@ runtest
echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex
runtest
+
+
+# no Release.gpg or InRelease
+msgmsg "Release only"
+EXPECT="Ign http://localhost:8080 unstable InRelease
+Hit http://localhost:8080 unstable Release
+Ign http://localhost:8080 unstable Release.gpg
+Hit http://localhost:8080 unstable/main Sources
+Hit http://localhost:8080 unstable/main amd64 Packages
+Hit http://localhost:8080 unstable/main Translation-en
+Reading package lists..."
+
+find aptarchive -name "Release.gpg" | xargs rm -f
+
+echo 'Acquire::AllowInsecureRepositories "1";' > rootdir/etc/apt/apt.conf.d/insecure.conf
+echo "Acquire::GzipIndexes "0";" > rootdir/etc/apt/apt.conf.d/02compressindex
+runtest
+
+echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex
+runtest