diff options
| author | Bryan Drewery <bdrewery@FreeBSD.org> | 2013-10-26 03:47:49 +0000 |
|---|---|---|
| committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2013-10-26 03:47:49 +0000 |
| commit | 52cb76fe60a75d14dd5aef983a2740c251d07e5d (patch) | |
| tree | fb6eb7f8cd448d1f50890260ca4415c816d3b7fd /usr.sbin/pkg | |
| parent | 516aaf7cf80ff755345e2523cf02dff5013e3489 (diff) | |
| download | src-52cb76fe60a75d14dd5aef983a2740c251d07e5d.tar.gz src-52cb76fe60a75d14dd5aef983a2740c251d07e5d.zip | |
Add support to check the signature of a local pkg.txz file being
added with "pkg add". If the pkg.conf is configured to check for
signature, then the pkg.txz.sig file will be expected and validated
per r257147
Approved by: bapt
MFC after: 2 days
Notes
Notes:
svn path=/head/; revision=257149
Diffstat (limited to 'usr.sbin/pkg')
| -rw-r--r-- | usr.sbin/pkg/pkg.c | 59 |
1 files changed, 47 insertions, 12 deletions
diff --git a/usr.sbin/pkg/pkg.c b/usr.sbin/pkg/pkg.c index c1ffa8f72715..30855bc739ac 100644 --- a/usr.sbin/pkg/pkg.c +++ b/usr.sbin/pkg/pkg.c @@ -135,7 +135,7 @@ cleanup: } static int -install_pkg_static(char *path, char *pkgpath) +install_pkg_static(const char *path, const char *pkgpath) { int pstat; pid_t pid; @@ -864,13 +864,54 @@ pkg_query_yes_no(void) return (ret); } +static int +bootstrap_pkg_local(const char *pkgpath) +{ + char path[MAXPATHLEN]; + char pkgstatic[MAXPATHLEN]; + const char *signature_type; + int fd_pkg, fd_sig, ret; + + fd_sig = -1; + ret = -1; + + fd_pkg = open(pkgpath, O_RDONLY); + if (fd_pkg == -1) + err(EXIT_FAILURE, "Unable to open %s", pkgpath); + + if (config_string(SIGNATURE_TYPE, &signature_type) != 0) { + warnx("Error looking up SIGNATURE_TYPE"); + return (-1); + } + if (signature_type != NULL && + strcasecmp(signature_type, "FINGERPRINTS") == 0) { + snprintf(path, sizeof(path), "%s.sig", pkgpath); + + if ((fd_sig = open(path, O_RDONLY)) == -1) { + fprintf(stderr, "Signature for pkg not available.\n"); + goto cleanup; + } + + if (verify_signature(fd_pkg, fd_sig) == false) + goto cleanup; + } + + if ((ret = extract_pkg_static(fd_pkg, pkgstatic, MAXPATHLEN)) == 0) + ret = install_pkg_static(pkgstatic, pkgpath); + +cleanup: + close(fd_pkg); + if (fd_sig != -1) + close(fd_sig); + + return (ret); +} + int main(__unused int argc, char *argv[]) { char pkgpath[MAXPATHLEN]; - char pkgstatic[MAXPATHLEN]; bool yes = false; - int fd, ret; snprintf(pkgpath, MAXPATHLEN, "%s/sbin/pkg", getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE); @@ -884,16 +925,11 @@ main(__unused int argc, char *argv[]) if (argv[1] != NULL && strcmp(argv[1], "-N") == 0) errx(EXIT_FAILURE, "pkg is not installed"); + config_init(); + if (argc > 2 && strcmp(argv[1], "add") == 0 && access(argv[2], R_OK) == 0) { - fd = open(argv[2], O_RDONLY); - if (fd == -1) - err(EXIT_FAILURE, "Unable to open %s", argv[2]); - - if ((ret = extract_pkg_static(fd, pkgstatic, MAXPATHLEN)) == 0) - ret = install_pkg_static(pkgstatic, argv[2]); - close(fd); - if (ret != 0) + if (bootstrap_pkg_local(argv[2]) != 0) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); } @@ -902,7 +938,6 @@ main(__unused int argc, char *argv[]) * not tty. Check the environment to see if user has answer * tucked in there already. */ - config_init(); config_bool(ASSUME_ALWAYS_YES, &yes); if (!yes) { printf("%s", confirmation_message); |