Continuation of last commit.
Changes:
error: failed to commit transaction (invalid or corrupted package (PGP signature))
To:
error: failed to commit transaction (package signature has missing or invalid PGP key)
If the user does not update their system for a while some of the package
keys may expire. Pacman gives this message:
error: simdjson: signature from "Bert Peters (packager key)
<bertptrs@archlinux.org>" is unknown trust
While this is technically true it masks the real issue of the key being
expired.
This commit changes that error message to:
error: simdjson: key "Bert Peters (packager key) <bertptrs@archlinux.org>" (38100C24376CD5F6ED4FF4B46918400C2703040C)
When the import key message was pushed to the pacman frontend, we no longer
displayed the length or algorithm used for the key, sticking to just the
user ID and the key ID.
Remove this code given this field is no longer used, and the code requires
updating for any now algorithm added.
Note: removal of the field from the alpm_pgpkey_t will happen in a separate
commit so that this commit can be readily backported.
Signed-off-by: Allan McRae <allan@archlinux.org>
The length_check function could underflow if the provided buffer index
is greater than the signature buffer length, leading to an out of
bounds read.
Signed-off-by: Allan McRae <allan@archlinux.org>
Avoid a segfault when a search of the keyserver returns that the
key is found but returns no primary IDs. We are then likely going
to fail the import, but attempt anyway because no-one know what
a keyserver will do!
Fixes FS#73534.
Signed-off-by: Allan McRae <allan@archlinux.org>
Looking up a key using WKD just ensures you have a key with the
same email address, it does not ensure that a key with the correct
fingerprint has been downloaded.
Check a key with the relevant fingerprint is available after a
WKD import.
When constructing an import question we never really used a proper gpg
key. We just zero initialize the key, set the uid and fingerprint, and
sent that to the front end.
Instead lets just give the import question a uid and fingerprint field.
Signed-off-by: Allan McRae <allan@archlinux.org>
Comit 5151de30 tried to fix leaking memory when importing a key. However
key_search_keyserver() writes to the key passed in, making the original
uid and fingerprint unreachable, causing the new uid and fingerprint to
double free.
Fixes FS#71107
Signed-off-by: Allan McRae <allan@archlinux.org>
Given RFC 4880 provides the code to do this calculation, I am not sure
how I managed to stuff that up! This bug was only exposed when a
signature made with "include-key-block" was added to the Arch repos,
which provided a subpacket with the required size to hit this issue.
Signed-off-by: Allan McRae <allan@archlinux.org>
The GOTO_ERR define was added in commit 80ae8014 for use in future commits.
There are plenty of places in the code base it can be used, so convert them.
Signed-off-by: Allan McRae <allan@archlinux.org>
This allows pacman to print the correct error message when checking keys
and libalpm has been compiled without gpgme support.
Signed-off-by: Allan McRae <allan@archlinux.org>
The dummy checksigs function never sets count to 0, leaving it
unitialized. This caused the siglist cleanup to try and free the empty
list.
Signed-off-by: Allan McRae <allan@archlinux.org>
With unknown uid pacman crashed. Return with error from email_from_uid()
if uid is NULL.
Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Allan McRae <allan@archlinux.org>
Currently pacman relies on the SKS keyserver network to fetch unknown
PGP keys. These keyservers are vulnerable to signature spamming attacks,
potentionally making it impossible to import the required keys. An
alternative to keyservers is a so-called Web Key Directory (WKD), a
well-known, trusted location on a server from where the keys can be
fetched.
This commit adds the ability to retrieve keys from a WKD. Due to the
mentioned vulnerabilities, the WKD is tried first, falling back to the
keyservers only if no appropriate key is found there.
In contrast to keyservers, keys in a WKD are not looked up using their
fingerprint, but by email address. Since the email address of the
signing key is usually not included in the signature, we will use the
packager email address to perform the lookup.
Also see FS#63171.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Ask the user whether they want to import a missing key before even doing
a search on the keyserver. This will be useful for getting Web Key
Directory support in place: for a WKD, looking up and importing a key
are a single action, so the current key_search -> QUESTION -> key_import
workflow does not apply.
Since only the ID of the package signing key is available before
key_search, we display the packager variable in addition to the key ID
for user convenience.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Many of these are pointless (e.g. there is no need to explicitly turn on
spellchecking and language dictionaries for the manpages by default).
The only useful modelines are the ones enforcing the project coding
standards for indentation style (and "maybe" filetype/syntax, but
everything except the asciidoc manpages and makepkg.conf is already
autodetected), and indent style can be applied more easily with
.editorconfig
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
RFC 4880 defines two packet formats for OpenPGP. Pacman aborted its key
in keyring check with an error message if it encountered the new format.
This was fine until some annoying Arch Trusted User generated a key
using the new format!
Implement the new format. This also required parsing the hashed sub
packets. requiring the parsing code to moved to its own function.
Signed-off-by: Allan McRae <allan@archlinux.org>
This is a rewrite of Tobias Stoeckmann’s patch from June 2016[1] using
functions instead of macros. (Thanks to Tobias for explanations of his patch.)
A short question on Freenode IRC showed that macros are generally discouraged
and functions should be used.
The patch introduces a static size_t length_check() in libalpm/signing.c.
[1] Original patch:
https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html
CVE request (and assignment):
http://seclists.org/oss-sec/2016/q2/526
Signed-off-by: Allan McRae <allan@archlinux.org>
This allows functions which return an _alpm_errno_t to always return a
genuine _alpm_errno_t for consistency, even in cases where there are
no errors. Since ALPM_ERR_OK = 0, their callers can still simply check
'err = some_fn(); if (!err) { ... }'.
Signed-off-by: Ivy Foster <ivy.foster@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
CHECK_ERR checks gpg_err which is a local variable. Calling
gpg_op_import_result cannot modify it.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Much like with events, instead of using a bunch of void* arguments for
all questions, we now send one pointer to an alpm_question_t union.
This contains the type of question that was triggered.
With this information, a question-specific struct can be accessed in
order to get additional arguments.
Signed-off-by: Olivier Brunel <jjk@jjacky.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Forcing vim users to view files with a tabstop of 2 seems really
unnecessary when noet is set. I find it much easier to read code with
ts=4 and I dislike having to override the modeline by hand.
Command run:
find . -type f -exec sed -i '/vim.* noet/s# ts=2 sw=2##' {} +
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Allan McRae <allan@archlinux.org>
The alpm_decode_signature function was made available for frontends to
display signature information, but this required libalpm to be build with
gpgme support. As that function did not require anything from gpgme,
have it build unconditionally.
Signed-off-by: Allan McRae <allan@archlinux.org>
