From ca496b6a97b988c1ac970b1c3b7be6ed7c402fe7 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 23 Apr 2014 13:30:30 -0400 Subject: [PATCH] Standalone builds now check gpg signatures before upgrading. --- Assistant/Threads/Upgrader.hs | 18 +------------ Assistant/Upgrade.hs | 49 +++++++++++++++++++++++++++++++++++ Makefile | 2 ++ debian/changelog | 6 +++++ standalone/android/Makefile | 1 + standalone/android/runshell | 1 + 6 files changed, 60 insertions(+), 17 deletions(-) diff --git a/Assistant/Threads/Upgrader.hs b/Assistant/Threads/Upgrader.hs index 60aeec70b6..637c82a7d9 100644 --- a/Assistant/Threads/Upgrader.hs +++ b/Assistant/Threads/Upgrader.hs @@ -18,11 +18,8 @@ import Assistant.Types.UrlRenderer import Assistant.DaemonStatus import Assistant.Alert import Utility.NotificationBroadcaster -import Utility.Tmp import qualified Annex import qualified Build.SysConfig -import qualified Utility.Url as Url -import qualified Annex.Url as Url import qualified Git.Version import Types.Distribution #ifdef WITH_WEBAPP @@ -62,7 +59,7 @@ upgraderThread urlrenderer = namedThread "Upgrader" $ checkUpgrade :: UrlRenderer -> Assistant () checkUpgrade urlrenderer = do debug [ "Checking if an upgrade is available." ] - go =<< getDistributionInfo + go =<< downloadDistributionInfo where go Nothing = debug [ "Failed to check if upgrade is available." ] go (Just d) = do @@ -86,16 +83,3 @@ canUpgrade urgency urlrenderer d = ifM autoUpgradeEnabled noop #endif ) - -getDistributionInfo :: Assistant (Maybe GitAnnexDistribution) -getDistributionInfo = do - uo <- liftAnnex Url.getUrlOptions - liftIO $ withTmpFile "git-annex.tmp" $ \tmpfile h -> do - hClose h - ifM (Url.downloadQuiet distributionInfoUrl tmpfile uo) - ( readish <$> readFileStrict tmpfile - , return Nothing - ) - -distributionInfoUrl :: String -distributionInfoUrl = fromJust Build.SysConfig.upgradelocation ++ ".info" diff --git a/Assistant/Upgrade.hs b/Assistant/Upgrade.hs index aaf6a8478b..c7ff7676b3 100644 --- a/Assistant/Upgrade.hs +++ b/Assistant/Upgrade.hs @@ -32,7 +32,11 @@ import Config.Files import Utility.ThreadScheduler import Utility.Tmp import Utility.UserInfo +import Utility.Gpg import qualified Utility.Lsof as Lsof +import qualified Build.SysConfig +import qualified Utility.Url as Url +import qualified Annex.Url as Url import qualified Data.Map as M import Data.Tuple.Utils @@ -313,3 +317,48 @@ upgradeSanityCheck = ifM usingDistribution usingDistribution :: IO Bool usingDistribution = isJust <$> getEnv "GIT_ANNEX_STANDLONE_ENV" + +downloadDistributionInfo :: Assistant (Maybe GitAnnexDistribution) +downloadDistributionInfo = do + uo <- liftAnnex Url.getUrlOptions + liftIO $ withTmpDir "git-annex.tmp" $ \tmpdir -> do + let infof = tmpdir "info" + let sigf = infof ++ ".sig" + ifM (Url.downloadQuiet distributionInfoUrl infof uo + <&&> Url.downloadQuiet distributionInfoSigUrl sigf uo + <&&> verifyDistributionSig sigf) + ( readish <$> readFileStrict infof + , return Nothing + ) + +distributionInfoUrl :: String +distributionInfoUrl = fromJust Build.SysConfig.upgradelocation ++ ".info" + +distributionInfoSigUrl :: String +distributionInfoSigUrl = distributionInfoUrl ++ ".sig" + +{- Verifies that a file from the git-annex distribution has a valid + - signature. Pass the detached .sig file; the file to be verified should + - be located next to it. + - + - The gpg keyring used to verify the signature is located in + - trustedkeys.gpg, next to the git-annex program. + -} +verifyDistributionSig :: FilePath -> IO Bool +verifyDistributionSig sig = do + p <- readProgramFile + if isAbsolute p + then withTmpDir "git-annex-gpg.tmp" $ \gpgtmp -> do + let trustedkeys = takeDirectory p "trustedkeys.gpg" + boolSystem gpgcmd + [ Param "--no-default-keyring" + , Param "--no-auto-check-trustdb" + , Param "--no-options" + , Param "--homedir" + , File gpgtmp + , Param "--keyring" + , File trustedkeys + , Param "--verify" + , File sig + ] + else return False diff --git a/Makefile b/Makefile index cbc369572a..25a77be1f3 100644 --- a/Makefile +++ b/Makefile @@ -120,6 +120,7 @@ linuxstandalone-nobuild: Build/Standalone Build/LinuxMkLibs ln -sf git-annex "$(LINUXSTANDALONE_DEST)/bin/git-annex-shell" zcat standalone/licences.gz > $(LINUXSTANDALONE_DEST)/LICENSE cp doc/logo_16x16.png doc/logo.svg $(LINUXSTANDALONE_DEST) + cp standalone/trustedkeys.gpg $(LINUXSTANDALONE_DEST) ./Build/Standalone "$(LINUXSTANDALONE_DEST)" @@ -150,6 +151,7 @@ osxapp: Build/Standalone Build/OSXMkLibs ln -sf git-annex "$(OSXAPP_BASE)/git-annex-shell" gzcat standalone/licences.gz > $(OSXAPP_BASE)/LICENSE cp $(OSXAPP_BASE)/LICENSE tmp/build-dmg/LICENSE.txt + cp standalone/trustedkeys.gpg $(OSXAPP_BASE) ./Build/Standalone $(OSXAPP_BASE) diff --git a/debian/changelog b/debian/changelog index 8d48162378..176178be0b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +git-annex (5.20140422) UNRELEASED; urgency=medium + + * Standalone builds now check gpg signatures before upgrading. + + -- Joey Hess Wed, 23 Apr 2014 12:43:39 -0400 + git-annex (5.20140421) unstable; urgency=medium * assistant: Now detects immediately when other repositories push diff --git a/standalone/android/Makefile b/standalone/android/Makefile index 404841bc06..a11c0bcc13 100644 --- a/standalone/android/Makefile +++ b/standalone/android/Makefile @@ -76,6 +76,7 @@ build: start cp $(GIT_ANNEX_ANDROID_SOURCETREE)/git/git.tar.gz $(GIT_ANNEX_ANDROID_SOURCETREE)/term/libs/armeabi/lib.git.tar.gz.so git rev-parse HEAD > $(GIT_ANNEX_ANDROID_SOURCETREE)/term/libs/armeabi/lib.version.so + cp ../trustedkeys.gpg $(GIT_ANNEX_ANDROID_SOURCETREE)/term/libs/armeabi/lib.trustedkeys.so mkdir -p ../../tmp/4.0 ../../tmp/4.3 diff --git a/standalone/android/runshell b/standalone/android/runshell index ef67444944..f6a0138e97 100755 --- a/standalone/android/runshell +++ b/standalone/android/runshell @@ -53,6 +53,7 @@ buildtree () { $cmd echo "exec $base/lib/lib.start.so" >> "$base/runshell" $cmd chmod 755 runshell + $cmd cat "$base/lib/lib.trustedkeys.so" > "$base/bin/trustedkeys.gpg" $cmd cat "$base/lib/lib.version.so" > "$base/installed-version" $cmd echo "Installation complete" }