Skip to content

Commit

Permalink
Use gpgv for signature verification in cargo
Browse files Browse the repository at this point in the history
Parsing gpg output for signature verification is not recommended,
as it can break easily (and doesn't work with i18n).
This patch makes use of gpgv, as suggested by gpg authors:
http://lists.gnupg.org/pipermail/gnupg-users/2004-August/023141.html
This closes #3762.

Signed-off-by: Luca Bruno <lucab@debian.org>
  • Loading branch information
lucab committed Oct 14, 2012
1 parent 07edf90 commit 01aaeef
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 31 deletions.
37 changes: 18 additions & 19 deletions src/cargo/cargo.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1162,20 +1162,20 @@ fn sync_one_file(c: &Cargo, dir: &Path, src: @Source) -> bool {
}
match (src.key, src.keyfp) {
(Some(_), Some(f)) => {
let r = pgp::verify(&c.root, &pkgfile, &sigfile, f);
let r = pgp::verify(&c.root, &pkgfile, &sigfile);

if !r {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
return false;
}

if has_src_file {
let e = pgp::verify(&c.root, &srcfile, &srcsigfile, f);
let e = pgp::verify(&c.root, &srcfile, &srcsigfile);

if !e {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
return false;
}
}
Expand Down Expand Up @@ -1273,21 +1273,21 @@ fn sync_one_git(c: &Cargo, dir: &Path, src: @Source) -> bool {
}
match (src.key, src.keyfp) {
(Some(_), Some(f)) => {
let r = pgp::verify(&c.root, &pkgfile, &sigfile, f);
let r = pgp::verify(&c.root, &pkgfile, &sigfile);

if !r {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
rollback(name, dir, false);
return false;
}

if has_src_file {
let e = pgp::verify(&c.root, &srcfile, &srcsigfile, f);
let e = pgp::verify(&c.root, &srcfile, &srcsigfile);

if !e {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
rollback(name, dir, false);
return false;
}
Expand Down Expand Up @@ -1370,11 +1370,11 @@ fn sync_one_curl(c: &Cargo, dir: &Path, src: @Source) -> bool {
return false;
}

let r = pgp::verify(&c.root, &pkgfile, &sigfile, f);
let r = pgp::verify(&c.root, &pkgfile, &sigfile);

if !r {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
return false;
}

Expand All @@ -1390,11 +1390,11 @@ fn sync_one_curl(c: &Cargo, dir: &Path, src: @Source) -> bool {
return false;
}

let e = pgp::verify(&c.root, &srcfile, &srcsigfile, f);
let e = pgp::verify(&c.root, &srcfile, &srcsigfile);

if !e {
error(~"signature verification failed for " +
~"source " + name);
~"source " + name + ~" with key " + f);
return false;
}
}
Expand Down Expand Up @@ -1463,8 +1463,7 @@ fn cmd_init(c: &Cargo) {
return;
}

let r = pgp::verify(&c.root, &srcfile, &sigfile,
pgp::signing_key_fp());
let r = pgp::verify(&c.root, &srcfile, &sigfile);
if !r {
error(fmt!("signature verification failed for '%s'",
srcfile.to_str()));
Expand Down
23 changes: 11 additions & 12 deletions src/cargo/pgp.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
fn gpg(args: ~[~str]) -> { status: int, out: ~str, err: ~str } {
return run::program_output(~"gpg", args);
fn gpgv(args: ~[~str]) -> { status: int, out: ~str, err: ~str } {
return run::program_output(~"gpgv", args);
}

fn signing_key() -> ~str {
Expand Down Expand Up @@ -59,7 +59,7 @@ fn signing_key_fp() -> ~str {
}

fn supported() -> bool {
let r = gpg(~[~"--version"]);
let r = gpgv(~[~"--version"]);
r.status == 0
}

Expand Down Expand Up @@ -88,15 +88,14 @@ fn add(root: &Path, key: &Path) {
}
}
fn verify(root: &Path, data: &Path, sig: &Path, keyfp: ~str) -> bool {
fn verify(root: &Path, data: &Path, sig: &Path) -> bool {
let path = root.push("gpg");
let p = gpg(~[~"--homedir", path.to_str(),
~"--with-fingerprint",
~"--verify", sig.to_str(),
data.to_str()]);
let res = ~"Primary key fingerprint: " + keyfp;
for str::split_char_each(p.err, '\n') |line| {
if line == res { return true; }
let res = gpgv(~[~"--homedir", path.to_str(),
~"--keyring", ~"pubring.gpg",
~"--verbose",
sig.to_str(), data.to_str()]);
if res.status != 0 {
return false;
}
return false;
return true;
}

0 comments on commit 01aaeef

Please sign in to comment.