Validates in-cache .pkg signature

This commit is contained in:
Stephen McQuay 2018-03-04 00:50:13 -08:00
parent 68942b6cdd
commit b1f0949c49
Signed by untrusted user: sm
GPG Key ID: 4E4B72F479BA3CE5

View File

@ -1,7 +1,9 @@
package pkg
import (
"archive/tar"
"io"
"log"
"net/http"
"os"
"path/filepath"
@ -10,6 +12,7 @@ import (
"mcquay.me/fs"
"mcquay.me/pm"
"mcquay.me/pm/db"
"mcquay.me/pm/keyring"
)
const cache = "var/cache/pm"
@ -40,6 +43,11 @@ func Install(root string, pkgs []string) error {
return errors.Wrap(err, "downloading")
}
for _, m := range ms {
if err := verifyManifestIntegrity(root, m); err != nil {
return errors.Wrap(err, "verifying pkg integrity")
}
}
return errors.New("NYI")
}
@ -66,3 +74,60 @@ func download(cache string, ms pm.Metas) error {
}
return nil
}
func verifyManifestIntegrity(root string, m pm.Meta) error {
pn := filepath.Join(root, cache, m.Pkg())
man, err := getReadCloser(pn, "manifest.sha256")
if err != nil {
return errors.Wrap(err, "getting manifest reader")
}
sig, err := getReadCloser(pn, "manifest.sha256.asc")
if err != nil {
return errors.Wrap(err, "getting manifest reader")
}
if err := keyring.Verify(root, man, sig); err != nil {
return errors.Wrap(err, "verifying manifest")
}
if err := man.Close(); err != nil {
return errors.Wrap(err, "closing manifest reader")
}
if err := sig.Close(); err != nil {
return errors.Wrap(err, "closing manifest signature reader")
}
return nil
}
type tarSlurper struct {
f *os.File
tr *tar.Reader
}
func (ts *tarSlurper) Close() error {
return ts.f.Close()
}
func (ts *tarSlurper) Read(p []byte) (int, error) {
return ts.tr.Read(p)
}
func getReadCloser(tn, fn string) (io.ReadCloser, error) {
pf, err := os.Open(tn)
if err != nil {
return nil, errors.Wrap(err, "opening pkg file")
}
tr := tar.NewReader(pf)
for {
hdr, err := tr.Next()
if err == io.EOF {
break
}
if err != nil {
return nil, errors.Wrap(err, "tar traversal")
}
if hdr.Name == fn {
return &tarSlurper{pf, tr}, nil
}
}
return nil, errors.Errorf("%q not found", fn)
}