Continuation of last commit.
Changes:
error: failed to commit transaction (invalid or corrupted package (PGP signature))
To:
error: failed to commit transaction (package signature has missing or invalid PGP key)
If the user does not update their system for a while some of the package
keys may expire. Pacman gives this message:
error: simdjson: signature from "Bert Peters (packager key)
<bertptrs@archlinux.org>" is unknown trust
While this is technically true it masks the real issue of the key being
expired.
This commit changes that error message to:
error: simdjson: key "Bert Peters (packager key) <bertptrs@archlinux.org>" (38100C24376CD5F6ED4FF4B46918400C2703040C)
Fixes failure to finalize download path if the package file already
exists but the .sig file does not.
This patch also moves .sig.part files which should be done for
completeness although it's probably rare/inconsequential for them to
exist.
Hopefully this is now the right approach now. The logic is as follows:
Check if dest_name or temp_name exists and try to move whichever
does.
If neither exist assume we're just downloading sig files and don't
error.
Figure out the .sig base filename.
Try to move the .sig file if one was needed and if that fails try
move the .sig.part file.
The patch leaves the logging as is. Maybe we should check if moves fail
for reasons other than non existence and log it properly. Though this is
probably rare and pacman will error out later anyway.
Fixes#256
The file stream associated with downloads without a filename is not
being freed when downloading using the sandbox user.
Signed-off-by: Allan McRae <allan@archlinux.org>
Commit 7ccf316c provided "root" (or the user name for UID 0) as a
default download user. However, when DownloadUser is unset in pacman.conf,
pacman was overwriting the default with null. Rectify this.
Fixes#248
Signed-off-by: Allan McRae <allan@archlinux.org>
While the event is already globally initialised, initialising the fields
prevents a valgrind warning (since the gcc-15 update).
Signed-off-by: Allan McRae <allan@archlinux.org>
If sandboxuser is not set, pacman/libalpm does not handle moving
incomplete download files out of the temporary download directories
and into the cache. This leave download_XXXXXX directories in the
cache that cause warnings on -Sc operations.
Initialise the sandboxuser with the username of UID 0 (root on most
systems).
Fixes#209.
Signed-off-by: Allan McRae <allan@archlinux.org>
When the import key message was pushed to the pacman frontend, we no longer
displayed the length or algorithm used for the key, sticking to just the
user ID and the key ID.
Remove this code given this field is no longer used, and the code requires
updating for any now algorithm added.
Note: removal of the field from the alpm_pgpkey_t will happen in a separate
commit so that this commit can be readily backported.
Signed-off-by: Allan McRae <allan@archlinux.org>
For example, with landlock ABI < 3, LANDLOCK_ACCESS_FS_TRUNCATE is not
set in ruleset_attr.handled_access_fs, so it should not be set in
path_beneath.allowed_access either. Otherwise, landlock_add_rule fails
with -EINVAL, and pacman complains:
> error: restricting filesystem access failed because the landlock rule for the temporary download directory could not be added!
The change is tested on Debian Bookworm kernel
linux-image-6.1.0-25-cloud-amd64 6.1.106-3.
Some libaplm utilities sync databases as a non-root user for use in
actvities other than system updates. The ability to download as a
non-root user was broken as part of the download sandboxing.
Applying a minimial fix by preventing the chown of the downloaded file
if the user is non-root. A larger change increasing the robustness
and error checking of this path is warranted in the future.
Signed-off-by: Allan McRae <allan@archlinux.org>
Sorting modifies the list in place, causing any existing pointers to the
list to point to a random element.
Fixes#165
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
If a package was already downloaded but its signature file was not,
pacman would download the signature then error out despite all files
being present.
Also fixes a similar error when some, but not all, package databases
were updated with -Sy.
Fixes#156
Signed-off-by: Allan McRae <allan@archlinux.org>
The calculation used the size of the package rather than the amount
remaining to download for partially downloaded packages.
Signed-off-by: Allan McRae <allan@archlinux.org>
Bailing early when there are 0 blocks remaining means that we do not call
memchr on a NULL string (although with a 0 size parameter). Fixes issues
reported using -fsanitise=address,undefined
Signed-off-by: Allan McRae <allan@archlinux.org>
The dir_is_mountpoint() function has the explicit requirement that the
trailing slash of the directory is present. We strip the trailing slash
in unlink_file() to handle directories replaced with symlinks, but that
then affects the dir_is_mountpoint() check.
Add the trailing slash when we have established we are dealing with a
directory. Note this may fail in the case of a file managed by pacmane
with name length of PATH_MAX that has been replaced by a directory on the
file system. Bail on this unlikely scenario.
In addtion, be less fancy with adjusting length of the file char array.
Signed-off-by: Allan McRae <allan@archlinux.org>
A filelist can be non-NULL but empty (particularly with a lot of
NoExtract entries). Handle this in alpm_filelist_contains()
Identified using the undefined behaviour sanitizer.
Signed-off-by: Allan McRae <allan@archlinux.org>
Filling in more of the payload fields before passing to the downloader ensures
that the these fields do not get lost during sandboxed operations.
It also fixes the use of -U with XferCommand, but testsuite still fails due to
"404" page being downloaded for the signature. Given we can not identify this
as being a non-signature download with the XferCommand, we can just turn off
signature checking in this test.
Signed-off-by: Allan McRae <allan@archlinux.org>
