From 0854ad8b8016d0132741a267492d72cfa0d3bd8e Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@ubuntu.com>
Date: Thu, 21 Jun 2012 12:32:56 +0200
Subject: check when finished downloading the InRelease file if it has the
 expected gpg clearsign signature and if not download Release/Release.gpg
 instead

---
 apt-pkg/acquire-item.cc | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'apt-pkg/acquire-item.cc')

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index a30e98858..9723cddac 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1235,9 +1235,17 @@ void pkgAcqMetaIndex::Done(string Message,unsigned long long Size,string Hash,	/
       }
       else
       {
+         // if we expect a ClearTextSignature (InRelase), ensure that
+         // this is what we get and if not fail to queue a 
+         // Release/Release.gpg, see #346386
+         if (SigFile == DestFile && !IsPgpClearTextSignature(DestFile))
+         {
+            Failed(Message, Cfg);
+            return;
+         }
+
          // There was a signature file, so pass it to gpgv for
          // verification
-
          if (_config->FindB("Debug::pkgAcquire::Auth", false))
             std::cerr << "Metaindex acquired, queueing gpg verification ("
                       << SigFile << "," << DestFile << ")\n";
-- 
cgit v1.2.3