From 2d3fe9cfadb33556b7563a98bb5a4698888e6c40 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <kalnischkies@gmail.com>
Date: Fri, 15 Mar 2013 18:53:53 +0100
Subject:   - if ExecGPGV deals with a clear-signed file it will split this
 file     into data and signatures, pass it to gpgv for verification and    
 recombines it after that in a known-good way without unsigned blocks     and
 whitespaces resulting usually in more or less the same file as     before,
 but later code can be sure about the format * apt-pkg/deb/debmetaindex.cc:  
 - reenable InRelease by default

---
 apt-pkg/deb/debmetaindex.cc | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

(limited to 'apt-pkg/deb')

diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 6c191fd95..7a88d71e3 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -229,6 +229,8 @@ vector <struct IndexTarget *>* debReleaseIndex::ComputeIndexTargets() const {
 									/*}}}*/
 bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const
 {
+   bool const tryInRelease = _config->FindB("Acquire::TryInRelease", true);
+
    // special case for --print-uris
    if (GetAll) {
       vector <struct IndexTarget *> *targets = ComputeIndexTargets();
@@ -239,18 +241,27 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const
 
       // this is normally created in pkgAcqMetaSig, but if we run
       // in --print-uris mode, we add it here
-      new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"),
-			  MetaIndexInfo("Release"), "Release",
-			  MetaIndexURI("Release.gpg"),
-			  ComputeIndexTargets(),
-			  new indexRecords (Dist));
+      if (tryInRelease == false)
+	 new pkgAcqMetaIndex(Owner, MetaIndexURI("Release"),
+	       MetaIndexInfo("Release"), "Release",
+	       MetaIndexURI("Release.gpg"),
+	       ComputeIndexTargets(),
+	       new indexRecords (Dist));
    }
 
-   new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
-		     MetaIndexInfo("Release.gpg"), "Release.gpg",
-		     MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
-		     ComputeIndexTargets(),
-		     new indexRecords (Dist));
+   if (tryInRelease == true)
+      new pkgAcqMetaClearSig(Owner, MetaIndexURI("InRelease"),
+	    MetaIndexInfo("InRelease"), "InRelease",
+	    MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
+	    MetaIndexURI("Release.gpg"), MetaIndexInfo("Release.gpg"), "Release.gpg",
+	    ComputeIndexTargets(),
+	    new indexRecords (Dist));
+   else
+      new pkgAcqMetaSig(Owner, MetaIndexURI("Release.gpg"),
+	    MetaIndexInfo("Release.gpg"), "Release.gpg",
+	    MetaIndexURI("Release"), MetaIndexInfo("Release"), "Release",
+	    ComputeIndexTargets(),
+	    new indexRecords (Dist));
 
    return true;
 }
-- 
cgit v1.2.3


From 233b78083f6f79730fcb5a6faeb74e2a78b6038a Mon Sep 17 00:00:00 2001
From: David Kalnischkies <kalnischkies@gmail.com>
Date: Mon, 18 Mar 2013 22:57:08 +0100
Subject: * apt-pkg/deb/debindexfile.cc,   apt-pkg/deb/deblistparser.cc:   -
 use OpenMaybeClearSignedFile to be free from detecting and     skipping
 clearsigning metadata in dsc and Release files

We can't write a "clean" file to disk as not all acquire methods copy
Release files before checking them (e.g. cdrom), so this reverts recombining,
but uses the method we use for dsc files also in the two places we
deal with Release files
---
 apt-pkg/deb/debindexfile.cc  |  8 +++++++-
 apt-pkg/deb/deblistparser.cc | 12 +-----------
 2 files changed, 8 insertions(+), 12 deletions(-)

(limited to 'apt-pkg/deb')

diff --git a/apt-pkg/deb/debindexfile.cc b/apt-pkg/deb/debindexfile.cc
index de645bb6e..909dfcf47 100644
--- a/apt-pkg/deb/debindexfile.cc
+++ b/apt-pkg/deb/debindexfile.cc
@@ -22,6 +22,7 @@
 #include <apt-pkg/strutl.h>
 #include <apt-pkg/acquire-item.h>
 #include <apt-pkg/debmetaindex.h>
+#include <apt-pkg/gpgv.h>
 
 #include <sys/stat.h>
 									/*}}}*/
@@ -337,7 +338,12 @@ bool debPackagesIndex::Merge(pkgCacheGenerator &Gen,OpProgress *Prog) const
 
    if (releaseExists == true || FileExists(ReleaseFile) == true)
    {
-      FileFd Rel(ReleaseFile,FileFd::ReadOnly);
+      FileFd Rel;
+      // Beware: The 'Release' file might be clearsigned in case the
+      // signature for an 'InRelease' file couldn't be checked
+      if (OpenMaybeClearSignedFile(ReleaseFile, Rel) == false)
+	 return false;
+
       if (_error->PendingError() == true)
 	 return false;
       Parser.LoadReleaseInfo(File,Rel,Section);
diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc
index b84bd6fdd..2c014a734 100644
--- a/apt-pkg/deb/deblistparser.cc
+++ b/apt-pkg/deb/deblistparser.cc
@@ -800,13 +800,12 @@ bool debListParser::LoadReleaseInfo(pkgCache::PkgFileIterator &FileI,
    map_ptrloc const storage = WriteUniqString(component);
    FileI->Component = storage;
 
-   // FIXME: Code depends on the fact that Release files aren't compressed
+   // FIXME: should use FileFd and TagSection
    FILE* release = fdopen(dup(File.Fd()), "r");
    if (release == NULL)
       return false;
 
    char buffer[101];
-   bool gpgClose = false;
    while (fgets(buffer, sizeof(buffer), release) != NULL)
    {
       size_t len = 0;
@@ -818,15 +817,6 @@ bool debListParser::LoadReleaseInfo(pkgCache::PkgFileIterator &FileI,
       if (buffer[len] == '\0')
 	 continue;
 
-      // only evalute the first GPG section
-      if (strncmp("-----", buffer, 5) == 0)
-      {
-	 if (gpgClose == true)
-	    break;
-	 gpgClose = true;
-	 continue;
-      }
-
       // seperate the tag from the data
       const char* dataStart = strchr(buffer + len, ':');
       if (dataStart == NULL)
-- 
cgit v1.2.3