From 71f02a3eb65b2996957faf81c2e54196a35f3c59 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 10 Feb 2017 10:34:21 +0100 Subject: [PATCH] libopkg: add support for signature checking through usign Adds a new configure switch "--enable-usign" which enables code to perform package feed signature checking using an external "/usr/sbin/opkg-key" helper program. Signed-off-by: Jo-Philipp Wich --- configure.ac | 9 +++++++++ libopkg/opkg.c | 2 +- libopkg/opkg_cmd.c | 2 +- libopkg/opkg_download.c | 24 +++++++++++++++++++++++- libopkg/opkg_install.c | 2 +- 5 files changed, 35 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 996bf6a..967a4d5 100644 --- a/configure.ac +++ b/configure.ac @@ -169,6 +169,15 @@ if test "x$want_gpgme" = "xyes"; then fi fi +AC_ARG_ENABLE(usign, + AC_HELP_STRING([--enable-usign], [Enable signature checking with usign + [[default=yes]] ]), + [want_usign="$enableval"], [want_usign="yes"]) + +if test "x$want_usign" = "xyes"; then + AC_DEFINE(HAVE_USIGN, 1, [Define if you want usign support]) +fi + AC_SUBST(GPGME_CFLAGS) AC_SUBST(GPGME_LIBS) diff --git a/libopkg/opkg.c b/libopkg/opkg.c index dbb82fb..dbb904a 100644 --- a/libopkg/opkg.c +++ b/libopkg/opkg.c @@ -599,7 +599,7 @@ opkg_update_package_lists(opkg_progress_callback_t progress_callback, } free(url); -#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) +#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) || defined(HAVE_USIGN) if (conf->check_signature) { char *sig_file_name; /* download detached signitures to verify the package lists */ diff --git a/libopkg/opkg_cmd.c b/libopkg/opkg_cmd.c index d1e91cb..c30e34d 100644 --- a/libopkg/opkg_cmd.c +++ b/libopkg/opkg_cmd.c @@ -169,7 +169,7 @@ opkg_update_cmd(int argc, char **argv) list_file_name); } free(url); -#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) +#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) || defined(HAVE_USIGN) if (conf->check_signature) { /* download detached signitures to verify the package lists */ /* get the url for the sig file */ diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index 4a8b2a2..97e1a84 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -19,6 +19,7 @@ #include "config.h" +#include #include #include #include @@ -342,7 +343,28 @@ opkg_prepare_url_for_install(const char *url, char **namep) int opkg_verify_file (char *text_file, char *sig_file) { -#if defined HAVE_GPGME +#if defined HAVE_USIGN + int status = -1; + int pid; + + if (conf->check_signature == 0 ) + return 0; + + pid = fork(); + if (pid < 0) + return -1; + + if (!pid) { + execl("/usr/sbin/opkg-key", "opkg-key", "verify", sig_file, text_file, NULL); + exit(255); + } + + waitpid(pid, &status, 0); + if (!WIFEXITED(status) || WEXITSTATUS(status)) + return -1; + + return 0; +#elif defined HAVE_GPGME if (conf->check_signature == 0 ) return 0; int status = -1; diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c index 1b6866c..7e0e17e 100644 --- a/libopkg/opkg_install.c +++ b/libopkg/opkg_install.c @@ -1288,7 +1288,7 @@ opkg_install_pkg(pkg_t *pkg, int from_upgrade) } /* check that the repository is valid */ - #if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) + #if defined(HAVE_GPGME) || defined(HAVE_OPENSSL) || defined(HAVE_USIGN) char *list_file_name, *sig_file_name, *lists_dir; /* check to ensure the package has come from a repository */ -- 2.25.1