Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

status: Pass correct remote name when verifying #3131

Merged
merged 2 commits into from
Jan 5, 2024
Merged

status: Pass correct remote name when verifying #3131

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
24bf5b7
status: Pass correct remote name when verifying
cgwalters Jan 4, 2024
e95109b
status: Add an option to skip signature verification
cgwalters Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
67 changes: 21 additions & 46 deletions src/ostree/ot-admin-builtin-status.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,39 +29,14 @@
#include <glib/gi18n.h>

static gboolean opt_verify;

static GOptionEntry options[] = { { "verify", 'V', 0, G_OPTION_ARG_NONE, &opt_verify,
"Print the commit verification status", NULL },
{ NULL } };

#ifndef OSTREE_DISABLE_GPGME
static gboolean
deployment_get_gpg_verify (OstreeDeployment *deployment, OstreeRepo *repo)
{
/* XXX Something like this could be added to the OstreeDeployment
* API in libostree if the OstreeRepo parameter is acceptable. */
GKeyFile *origin = ostree_deployment_get_origin (deployment);

if (origin == NULL)
return FALSE;

g_autofree char *refspec = g_key_file_get_string (origin, "origin", "refspec", NULL);

if (refspec == NULL)
return FALSE;

g_autofree char *remote = NULL;
if (!ostree_parse_refspec (refspec, &remote, NULL, NULL))
return FALSE;

gboolean gpg_verify = FALSE;
if (remote)
(void)ostree_repo_remote_get_gpg_verify (repo, remote, &gpg_verify, NULL);

return gpg_verify;
}
#endif /* OSTREE_DISABLE_GPGME */

static gboolean opt_skip_signatures;

static GOptionEntry options[]
= { { "verify", 'V', 0, G_OPTION_ARG_NONE, &opt_verify, "Print the commit verification status",
NULL },
{ "skip-signatures", 'S', 0, G_OPTION_ARG_NONE, &opt_skip_signatures,
"Print the commit verification status", NULL },
{ NULL } };
static gboolean
deployment_print_status (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeployment *deployment,
gboolean is_booted, gboolean is_pending, gboolean is_rollback,
Expand Down Expand Up @@ -95,6 +70,8 @@ deployment_print_status (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploym
}

GKeyFile *origin = ostree_deployment_get_origin (deployment);
g_autofree char *origin_refspec
= origin ? g_key_file_get_string (origin, "origin", "refspec", NULL) : NULL;

const char *deployment_status = "";
if (ostree_deployment_is_finalization_locked (deployment))
Expand Down Expand Up @@ -127,7 +104,6 @@ deployment_print_status (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploym
g_print (" origin: none\n");
else
{
g_autofree char *origin_refspec = g_key_file_get_string (origin, "origin", "refspec", NULL);
if (!origin_refspec)
g_print (" origin: <unknown origin type>\n");
else
Expand All @@ -137,15 +113,22 @@ deployment_print_status (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploym
}

#ifndef OSTREE_DISABLE_GPGME
if (!opt_verify && deployment_get_gpg_verify (deployment, repo))
g_autofree char *remote = NULL;
if (origin_refspec && !ostree_parse_refspec (origin_refspec, &remote, NULL, NULL))
return FALSE;

gboolean gpg_verify = FALSE;
if (remote)
(void)ostree_repo_remote_get_gpg_verify (repo, remote, &gpg_verify, NULL);
if (!opt_skip_signatures && !opt_verify && gpg_verify)
{
g_assert (remote);
g_autoptr (GString) output_buffer = g_string_sized_new (256);
/* Print any digital signatures on this commit. */

const char *osname = ostree_deployment_get_osname (deployment);
g_autoptr (GError) local_error = NULL;
g_autoptr (OstreeGpgVerifyResult) result
= ostree_repo_verify_commit_for_remote (repo, ref, osname, cancellable, &local_error);
= ostree_repo_verify_commit_for_remote (repo, ref, remote, cancellable, &local_error);

/* G_IO_ERROR_NOT_FOUND just means the commit is not signed. */
if (g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND))
Expand Down Expand Up @@ -174,16 +157,8 @@ deployment_print_status (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploym
{
if (!commit)
return glnx_throw (error, "Cannot verify, failed to load commit");

if (origin == NULL)
return glnx_throw (error, "Cannot verify deployment with no origin");

g_autofree char *refspec = g_key_file_get_string (origin, "origin", "refspec", NULL);
if (refspec == NULL)
if (origin_refspec == NULL)
return glnx_throw (error, "No origin/refspec, cannot verify");
g_autofree char *remote = NULL;
if (!ostree_parse_refspec (refspec, &remote, NULL, NULL))
return FALSE;
if (remote == NULL)
return glnx_throw (error, "Cannot verify deployment without remote");

Expand Down