Standalone builds now check gpg signatures before upgrading.

2014-04-23 13:30:30 -04:00 · 2014-04-23 13:30:30 -04:00 · ca496b6a97
commit ca496b6a97
parent 4887f8f860
6 changed files with 60 additions and 17 deletions
--- a/Assistant/Threads/Upgrader.hs
+++ b/Assistant/Threads/Upgrader.hs
@ -18,11 +18,8 @@ import Assistant.Types.UrlRenderer
 import Assistant.DaemonStatus
 import Assistant.Alert
 import Utility.NotificationBroadcaster
-import Utility.Tmp
 import qualified Annex
 import qualified Build.SysConfig
-import qualified Utility.Url as Url
-import qualified Annex.Url as Url
 import qualified Git.Version
 import Types.Distribution
 #ifdef WITH_WEBAPP
@ -62,7 +59,7 @@ upgraderThread urlrenderer = namedThread "Upgrader" $
 checkUpgrade :: UrlRenderer -> Assistant ()
 checkUpgrade urlrenderer = do
 	debug [ "Checking if an upgrade is available." ]
-	go =<< getDistributionInfo
+	go =<< downloadDistributionInfo
  where
 	go Nothing = debug [ "Failed to check if upgrade is available." ]
 	go (Just d) = do
@ -86,16 +83,3 @@ canUpgrade urgency urlrenderer d = ifM autoUpgradeEnabled
 		noop
 #endif
 	)
-
-getDistributionInfo :: Assistant (Maybe GitAnnexDistribution)
-getDistributionInfo = do
-	uo <- liftAnnex Url.getUrlOptions
-	liftIO $ withTmpFile "git-annex.tmp" $ \tmpfile h -> do
-		hClose h
-		ifM (Url.downloadQuiet distributionInfoUrl tmpfile uo)
-			( readish <$> readFileStrict tmpfile
-			, return Nothing
-			)
-
-distributionInfoUrl :: String
-distributionInfoUrl = fromJust Build.SysConfig.upgradelocation ++ ".info"
--- a/Assistant/Upgrade.hs
+++ b/Assistant/Upgrade.hs
@ -32,7 +32,11 @@ import Config.Files
 import Utility.ThreadScheduler
 import Utility.Tmp
 import Utility.UserInfo
+import Utility.Gpg
 import qualified Utility.Lsof as Lsof
+import qualified Build.SysConfig
+import qualified Utility.Url as Url
+import qualified Annex.Url as Url

 import qualified Data.Map as M
 import Data.Tuple.Utils
@ -313,3 +317,48 @@ upgradeSanityCheck = ifM usingDistribution

 usingDistribution :: IO Bool
 usingDistribution = isJust <$> getEnv "GIT_ANNEX_STANDLONE_ENV"
+
+downloadDistributionInfo :: Assistant (Maybe GitAnnexDistribution)
+downloadDistributionInfo = do
+	uo <- liftAnnex Url.getUrlOptions
+	liftIO $ withTmpDir "git-annex.tmp" $ \tmpdir -> do
+		let infof = tmpdir </> "info"
+		let sigf = infof ++ ".sig"
+		ifM (Url.downloadQuiet distributionInfoUrl infof uo
+			<&&> Url.downloadQuiet distributionInfoSigUrl sigf uo
+			<&&> verifyDistributionSig sigf)
+			( readish <$> readFileStrict infof
+			, return Nothing
+			)
+
+distributionInfoUrl :: String
+distributionInfoUrl = fromJust Build.SysConfig.upgradelocation ++ ".info"
+
+distributionInfoSigUrl :: String
+distributionInfoSigUrl = distributionInfoUrl ++ ".sig"
+
+{- Verifies that a file from the git-annex distribution has a valid
+ - signature. Pass the detached .sig file; the file to be verified should
+ - be located next to it.
+ -
+ - The gpg keyring used to verify the signature is located in
+ - trustedkeys.gpg, next to the git-annex program.
+ -}
+verifyDistributionSig :: FilePath -> IO Bool
+verifyDistributionSig sig = do
+	p <- readProgramFile
+	if isAbsolute p
+		then withTmpDir "git-annex-gpg.tmp" $ \gpgtmp -> do
+			let trustedkeys = takeDirectory p </> "trustedkeys.gpg"
+			boolSystem gpgcmd
+				[ Param "--no-default-keyring"
+				, Param "--no-auto-check-trustdb"
+				, Param "--no-options"
+				, Param "--homedir"
+				, File gpgtmp
+				, Param "--keyring"
+				, File trustedkeys
+				, Param "--verify"
+				, File sig
+				]
+		else return False