Radish alpha
H
HardenedBSD-pkg
HardenedBSD Package Manager
Radicle
Git (anonymous pull)
Log in to clone via SSH
Commits
Add new option for force all the repositories to be signed (default off for now)
Baptiste Daroussin committed 14 years ago
commit b68cafd56509b65f9ff913a33f64607c3845f549
parent b267e6318fd61532b076cc92967fd24791f2a659
4 files changed +20 -1
modified libpkg/pkg.h
@@ -238,7 +238,8 @@ typedef enum _pkg_config_key {
	PKG_CONFIG_PLIST_KEYWORDS_DIR = 9,

	PKG_CONFIG_SYSLOG = 10,

	PKG_CONFIG_SHLIBS = 11,
- 
	PKG_CONFIG_AUTODEPS = 12
+ 
	PKG_CONFIG_AUTODEPS = 12,
+ 
	PKG_CONFIG_SIGNED_REPOS = 13

} pkg_config_key;



typedef enum {
modified libpkg/pkg_config.c
@@ -137,6 +137,12 @@ static struct config_entry c[] = {
		"AUTODEPS",

		"NO",

		{ NULL }
+ 
	},
+ 
	[PKG_CONFIG_SIGNED_REPOS] = {
+ 
		BOOL,
+ 
		"SIGNED_REPOS",
+ 
		"NO",
+ 
		{ NULL }

	}

};
modified pkg/pkg.conf.5
@@ -99,6 +99,8 @@ Analyse elf and track all shared libraries needed by the packages. default: off
.It Cm AUTODEPS(boolean)

Analyse the elf to add dependencies (share libraries) that may have been

forgotten by the maintainer. default: off
+ 
.It Cm SIGNED_REPOS(boolean)
+ 
All the remote repositories should be signed. default: off

.El

.Sh ENVIRONMENT

An environment variable with the same name as the option in the configuration
modified pkg/update.c
@@ -60,7 +60,9 @@ update_from_remote_repo(const char *name, const char *url)
	unsigned char *sig = NULL;

	int siglen = 0;

	int rc = EPKG_OK;
+ 
	bool alwayssigned = false;;
+ 
	pkg_config_bool(PKG_CONFIG_SIGNED_REPOS, &alwayssigned);

	(void)strlcpy(tmp, "/tmp/repo.txz.XXXXXX", sizeof(tmp));

	if (mktemp(tmp) == NULL) {

		warnx("Could not create temporary file %s, aborting update.\n", tmp);
@@ -108,6 +110,14 @@ update_from_remote_repo(const char *name, const char *url)
			rc = EPKG_FATAL;

			goto cleanup;

		}
+ 
	} else {
+ 
		if (alwayssigned) {
+ 
			warnx("No signature found in the repository, this is mandatory");
+ 
			rc = EPKG_FATAL;
+ 
			unlink(repofile_unchecked);
+ 
			goto cleanup;
+ 
		}
+ 


	}



	rename(repofile_unchecked, repofile);