|
|
803fb7 |
From 1b7d1234cd22bb0fd2677d54dc670a6d2c6f8089 Mon Sep 17 00:00:00 2001
|
|
|
803fb7 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
803fb7 |
Date: Mon, 2 Mar 2015 20:24:11 +0100
|
|
|
803fb7 |
Subject: [PATCH] import: add support for gpg2 for verifying imported images
|
|
|
803fb7 |
|
|
|
803fb7 |
gpg2 insists on created a trust db even if we tun off all trust db
|
|
|
803fb7 |
support. Hence create a temporary home where the trust db is placed, and
|
|
|
803fb7 |
remove it after use.
|
|
|
803fb7 |
|
|
|
803fb7 |
Cherry-picked from: 0acfdffe9417b4218e97b6d981c99a1a85e633c9
|
|
|
803fb7 |
Resolves: #1284974
|
|
|
803fb7 |
---
|
|
|
803fb7 |
src/import/import-common.c | 21 ++++++++++++++++++---
|
|
|
803fb7 |
1 file changed, 18 insertions(+), 3 deletions(-)
|
|
|
803fb7 |
|
|
|
803fb7 |
diff --git a/src/import/import-common.c b/src/import/import-common.c
|
|
|
803fb7 |
index 2acf380f9..f10a453ee 100644
|
|
|
803fb7 |
--- a/src/import/import-common.c
|
|
|
803fb7 |
+++ b/src/import/import-common.c
|
|
|
803fb7 |
@@ -281,8 +281,9 @@ int import_verify(
|
|
|
803fb7 |
_cleanup_free_ char *fn = NULL;
|
|
|
803fb7 |
_cleanup_close_ int sig_file = -1;
|
|
|
803fb7 |
const char *p, *line;
|
|
|
803fb7 |
- char sig_file_path[] = "/tmp/sigXXXXXX";
|
|
|
803fb7 |
+ char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX";
|
|
|
803fb7 |
_cleanup_sigkill_wait_ pid_t pid = 0;
|
|
|
803fb7 |
+ bool gpg_home_created = false;
|
|
|
803fb7 |
int r;
|
|
|
803fb7 |
|
|
|
803fb7 |
assert(main_job);
|
|
|
803fb7 |
@@ -347,6 +348,13 @@ int import_verify(
|
|
|
803fb7 |
goto finish;
|
|
|
803fb7 |
}
|
|
|
803fb7 |
|
|
|
803fb7 |
+ if (!mkdtemp(gpg_home)) {
|
|
|
803fb7 |
+ r = log_error_errno(errno, "Failed to create tempory home for gpg: %m");
|
|
|
803fb7 |
+ goto finish;
|
|
|
803fb7 |
+ }
|
|
|
803fb7 |
+
|
|
|
803fb7 |
+ gpg_home_created = true;
|
|
|
803fb7 |
+
|
|
|
803fb7 |
pid = fork();
|
|
|
803fb7 |
if (pid < 0)
|
|
|
803fb7 |
return log_error_errno(errno, "Failed to fork off gpg: %m");
|
|
|
803fb7 |
@@ -359,13 +367,14 @@ int import_verify(
|
|
|
803fb7 |
"--no-auto-check-trustdb",
|
|
|
803fb7 |
"--batch",
|
|
|
803fb7 |
"--trust-model=always",
|
|
|
803fb7 |
- NULL, /* keyring to use */
|
|
|
803fb7 |
+ NULL, /* --homedir= */
|
|
|
803fb7 |
+ NULL, /* --keyring= */
|
|
|
803fb7 |
NULL, /* --verify */
|
|
|
803fb7 |
NULL, /* signature file */
|
|
|
803fb7 |
NULL, /* dash */
|
|
|
803fb7 |
NULL /* trailing NULL */
|
|
|
803fb7 |
};
|
|
|
803fb7 |
- unsigned k = ELEMENTSOF(cmd) - 5;
|
|
|
803fb7 |
+ unsigned k = ELEMENTSOF(cmd) - 6;
|
|
|
803fb7 |
int null_fd;
|
|
|
803fb7 |
|
|
|
803fb7 |
/* Child */
|
|
|
803fb7 |
@@ -398,6 +407,8 @@ int import_verify(
|
|
|
803fb7 |
if (null_fd != STDOUT_FILENO)
|
|
|
803fb7 |
null_fd = safe_close(null_fd);
|
|
|
803fb7 |
|
|
|
803fb7 |
+ cmd[k++] = strjoina("--homedir=", gpg_home);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
/* We add the user keyring only to the command line
|
|
|
803fb7 |
* arguments, if it's around since gpg fails
|
|
|
803fb7 |
* otherwise. */
|
|
|
803fb7 |
@@ -415,6 +426,7 @@ int import_verify(
|
|
|
803fb7 |
fd_cloexec(STDOUT_FILENO, false);
|
|
|
803fb7 |
fd_cloexec(STDERR_FILENO, false);
|
|
|
803fb7 |
|
|
|
803fb7 |
+ execvp("gpg2", (char * const *) cmd);
|
|
|
803fb7 |
execvp("gpg", (char * const *) cmd);
|
|
|
803fb7 |
log_error_errno(errno, "Failed to execute gpg: %m");
|
|
|
803fb7 |
_exit(EXIT_FAILURE);
|
|
|
803fb7 |
@@ -446,6 +458,9 @@ finish:
|
|
|
803fb7 |
if (sig_file >= 0)
|
|
|
803fb7 |
unlink(sig_file_path);
|
|
|
803fb7 |
|
|
|
803fb7 |
+ if (gpg_home_created)
|
|
|
803fb7 |
+ rm_rf_dangerous(gpg_home, false, true, false);
|
|
|
803fb7 |
+
|
|
|
803fb7 |
return r;
|
|
|
803fb7 |
}
|
|
|
803fb7 |
|