Use gpgv for signature verification in cargo

Parsing gpg output for signature verification is not recommended,
as it can break easily (and doesn't work with i18n).
This patch makes use of gpgv, as suggested by gpg authors:
http://lists.gnupg.org/pipermail/gnupg-users/2004-August/023141.html
This closes #3762.

Signed-off-by: Luca Bruno <lucab@debian.org>
This commit is contained in:
Luca Bruno 2012-10-14 14:45:21 +02:00
parent 07edf90367
commit 01aaeef619
2 changed files with 29 additions and 31 deletions

View File

@ -1162,20 +1162,20 @@ fn sync_one_file(c: &Cargo, dir: &Path, src: @Source) -> bool {
}
match (src.key, src.keyfp) {
(Some(_), Some(f)) => {
let r = pgp::verify(&c.root, &pkgfile, &sigfile, f);
let r = pgp::verify(&c.root, &pkgfile, &sigfile);
if !r {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
return false;
}
if has_src_file {
let e = pgp::verify(&c.root, &srcfile, &srcsigfile, f);
let e = pgp::verify(&c.root, &srcfile, &srcsigfile);
if !e {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
return false;
}
}
@ -1273,21 +1273,21 @@ fn sync_one_git(c: &Cargo, dir: &Path, src: @Source) -> bool {
}
match (src.key, src.keyfp) {
(Some(_), Some(f)) => {
let r = pgp::verify(&c.root, &pkgfile, &sigfile, f);
let r = pgp::verify(&c.root, &pkgfile, &sigfile);
if !r {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
rollback(name, dir, false);
return false;
}
if has_src_file {
let e = pgp::verify(&c.root, &srcfile, &srcsigfile, f);
let e = pgp::verify(&c.root, &srcfile, &srcsigfile);
if !e {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
rollback(name, dir, false);
return false;
}
@ -1370,11 +1370,11 @@ fn sync_one_curl(c: &Cargo, dir: &Path, src: @Source) -> bool {
return false;
}
let r = pgp::verify(&c.root, &pkgfile, &sigfile, f);
let r = pgp::verify(&c.root, &pkgfile, &sigfile);
if !r {
error(fmt!("signature verification failed for source %s",
name));
error(fmt!("signature verification failed for source %s with key %s",
name, f));
return false;
}
@ -1390,11 +1390,11 @@ fn sync_one_curl(c: &Cargo, dir: &Path, src: @Source) -> bool {
return false;
}
let e = pgp::verify(&c.root, &srcfile, &srcsigfile, f);
let e = pgp::verify(&c.root, &srcfile, &srcsigfile);
if !e {
error(~"signature verification failed for " +
~"source " + name);
~"source " + name + ~" with key " + f);
return false;
}
}
@ -1463,8 +1463,7 @@ fn cmd_init(c: &Cargo) {
return;
}
let r = pgp::verify(&c.root, &srcfile, &sigfile,
pgp::signing_key_fp());
let r = pgp::verify(&c.root, &srcfile, &sigfile);
if !r {
error(fmt!("signature verification failed for '%s'",
srcfile.to_str()));

View File

@ -1,5 +1,5 @@
fn gpg(args: ~[~str]) -> { status: int, out: ~str, err: ~str } {
return run::program_output(~"gpg", args);
fn gpgv(args: ~[~str]) -> { status: int, out: ~str, err: ~str } {
return run::program_output(~"gpgv", args);
}
fn signing_key() -> ~str {
@ -59,7 +59,7 @@ fn signing_key_fp() -> ~str {
}
fn supported() -> bool {
let r = gpg(~[~"--version"]);
let r = gpgv(~[~"--version"]);
r.status == 0
}
@ -88,15 +88,14 @@ fn add(root: &Path, key: &Path) {
}
}
fn verify(root: &Path, data: &Path, sig: &Path, keyfp: ~str) -> bool {
fn verify(root: &Path, data: &Path, sig: &Path) -> bool {
let path = root.push("gpg");
let p = gpg(~[~"--homedir", path.to_str(),
~"--with-fingerprint",
~"--verify", sig.to_str(),
data.to_str()]);
let res = ~"Primary key fingerprint: " + keyfp;
for str::split_char_each(p.err, '\n') |line| {
if line == res { return true; }
let res = gpgv(~[~"--homedir", path.to_str(),
~"--keyring", ~"pubring.gpg",
~"--verbose",
sig.to_str(), data.to_str()]);
if res.status != 0 {
return false;
}
return false;
return true;
}