|
|
7941de0 |
if confget("RPM::GPG::Check/b", "true") == "false" then
|
|
|
7941de0 |
return
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
if table.getn(files_install) < 1 then
|
|
|
7941de0 |
return
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
hash = '##############################'
|
|
|
7941de0 |
hashestotal = string.len(hash)
|
|
|
7941de0 |
interactive = confget("RPM::Interactive/b", "true")
|
|
|
7941de0 |
quiet = tonumber(confget("quiet", 0))
|
|
|
7941de0 |
keyspath = confget("RPM::GPG::KeysPath/f", "/etc/pki/rpm-gpg")
|
|
|
7941de0 |
|
|
|
7941de0 |
function printhash(amount, total)
|
|
|
7941de0 |
percent = amount/total*100
|
|
|
7941de0 |
if interactive == "true" then
|
|
|
7941de0 |
nrhash = hashestotal - hashestotal / total * amount
|
|
|
7941de0 |
line = string.format("%-31s[%3d%%]", string.sub(hash, nrhash), percent)
|
|
|
7941de0 |
io.stdout.write(io.stdout, line)
|
|
|
7941de0 |
io.stdout.flush(io.stdout)
|
|
|
7941de0 |
for i = 1, string.len(line) do
|
|
|
7941de0 |
io.stdout.write(io.stdout, '\b')
|
|
|
7941de0 |
end
|
|
|
7941de0 |
else
|
|
|
7941de0 |
io.stdout.write(io.stdout, string.format("%%%% %f\n", percent))
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
function showerrors(i, msg)
|
|
|
7941de0 |
apterror(msg)
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
good = 1
|
|
|
7941de0 |
unknown = 0
|
|
|
7941de0 |
illegal = 0
|
|
|
7941de0 |
unsigned = 0
|
|
|
7941de0 |
missing = 0
|
|
|
7941de0 |
errors = {}
|
|
|
7941de0 |
missings = {}
|
|
|
7941de0 |
|
|
|
7941de0 |
skiplist = confgetlist("RPM::GPG::Skip-Check", "")
|
|
|
7941de0 |
|
|
|
7941de0 |
-- Results are stored in global variables
|
|
|
7941de0 |
function gpgcheck(silent)
|
|
|
7941de0 |
good = 1
|
|
|
7941de0 |
unknown = 0
|
|
|
7941de0 |
illegal = 0
|
|
|
7941de0 |
unsigned = 0
|
|
|
7941de0 |
missing = 0
|
|
|
7941de0 |
errors = {}
|
|
|
7941de0 |
missings = {}
|
|
|
7941de0 |
|
|
|
7941de0 |
if not silent then
|
|
|
7941de0 |
io.stdout.write(io.stdout, string.format("%-41s", _("Checking GPG signatures...")))
|
|
|
7941de0 |
if interactive == "false" then
|
|
|
7941de0 |
io.stdout.write(io.stdout, '\n')
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
for i, file in ipairs(files_install) do
|
|
|
7941de0 |
local skipthis = false
|
|
|
7941de0 |
for j, skip in ipairs(skiplist) do
|
|
|
7941de0 |
start = string.find(pkgname(pkgs_install[i]), skip)
|
|
|
7941de0 |
if start then
|
|
|
7941de0 |
skipthis = true
|
|
|
7941de0 |
aptwarning(_("Skipped GPG check on ")..pkgname(pkgs_install[i]))
|
|
|
7941de0 |
break
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
if not silent and quiet == 0 then
|
|
|
7941de0 |
printhash(i, table.getn(files_install))
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
if skipthis == false then
|
|
|
7941de0 |
local inp = io.popen("LANG=C /bin/rpm --checksig "..file.." 2>&1")
|
|
|
7941de0 |
for line in inp.lines(inp) do
|
|
|
7941de0 |
if string.find(line, "rpmReadSignature") then
|
|
|
7941de0 |
table.insert(errors, _("Illegal signature ")..line)
|
|
|
7941de0 |
illegal = illegal + 1
|
|
|
7941de0 |
good = nil
|
|
|
7941de0 |
elseif string.find(line, " NOT OK") then
|
|
|
7941de0 |
local index = string.find(line, "#")
|
|
|
7941de0 |
if string.find(line, "MISSING") and index then
|
|
|
7941de0 |
local keyid = string.lower(string.sub(line, index+1, index+8))
|
|
|
7941de0 |
table.insert(errors, _("Missing key ")..line)
|
|
|
7941de0 |
if not missings[keyid] then
|
|
|
7941de0 |
missings[keyid] = {}
|
|
|
7941de0 |
end
|
|
|
7941de0 |
table.insert(missings[keyid], file)
|
|
|
7941de0 |
missing = missing + 1
|
|
|
7941de0 |
good = nil
|
|
|
7941de0 |
else
|
|
|
7941de0 |
table.insert(errors, _("Unknown error ")..line)
|
|
|
7941de0 |
unknown = unknown + 1
|
|
|
7941de0 |
good = nil
|
|
|
7941de0 |
end
|
|
|
7941de0 |
elseif string.find(line, " OK") then
|
|
|
7941de0 |
if string.find(line, " gpg") or string.find(line, " pgp") then
|
|
|
7941de0 |
break
|
|
|
7941de0 |
else
|
|
|
7941de0 |
table.insert(errors, _("Unsigned ")..line)
|
|
|
7941de0 |
unsigned = unsigned + 1
|
|
|
7941de0 |
good = nil
|
|
|
7941de0 |
end
|
|
|
7941de0 |
else
|
|
|
7941de0 |
table.insert(errors, _("Unknown error ")..line)
|
|
|
7941de0 |
unknown = unknown + 1
|
|
|
7941de0 |
good = nil
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
io.close(inp)
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
if not silent and interactive == "true" then
|
|
|
7941de0 |
io.stdout.write(io.stdout, '\n')
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
gpgcheck(false)
|
|
|
7941de0 |
|
|
|
7941de0 |
if not good and confget("RPM::GPG::Import-Missing/b", "true") == "true" then
|
|
|
7941de0 |
-- Print list of missing keys
|
|
|
7941de0 |
for i, msglist in pairs(missings) do
|
|
|
7941de0 |
for j, file in pairs(msglist) do
|
|
|
7941de0 |
print(_(" missing key #")..i.._(" for ")..file)
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
-- Search for missing keys
|
|
|
7941de0 |
local keysimported = 0
|
|
|
7941de0 |
local files = posix.dir(keyspath)
|
|
|
7941de0 |
for i, file in ipairs(files) do
|
|
|
7941de0 |
-- Get the Key ID
|
|
|
7941de0 |
local keyid = nil
|
|
|
7941de0 |
local inp = io.popen("LANG=C /usr/bin/gpg --no-options --no-default-keyring --keyring /dev/null --secret-keyring /dev/null "..keyspath.."/"..file.." 2>&1")
|
|
|
7941de0 |
for line in inp.lines(inp) do
|
|
|
7941de0 |
if string.sub(line, 1, 4) == "pub " then
|
|
|
7941de0 |
keyid = string.lower(string.sub(line, 12, 19))
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
io.close(inp)
|
|
|
7941de0 |
|
|
|
7941de0 |
if keyid and missings[keyid] then
|
|
|
7941de0 |
-- Note: Single kay could be imported several times
|
|
|
7941de0 |
-- So neither pkgfind() nor `rpm -e --test` can be used
|
|
|
7941de0 |
local ret = os.execute("LANG=C rpm -q gpg-pubkey-"..keyid.." > /dev/null 2>&1")
|
|
|
7941de0 |
if ret == 0 then
|
|
|
7941de0 |
aptwarning(_("Missing gpg key is already installed: #")..keyid)
|
|
|
7941de0 |
else
|
|
|
7941de0 |
local doimport = false
|
|
|
7941de0 |
if confget("APT::Get::Assume-Yes/b", "false") == "true" then
|
|
|
7941de0 |
doimport = true
|
|
|
7941de0 |
else
|
|
|
7941de0 |
io.stdout.write(io.stdout, _("Missing gpg key found").." ("..file..": #"..keyid..") ".._("Import it? [Y/n] "))
|
|
|
7941de0 |
local answer = io.read()
|
|
|
7941de0 |
answer = string.lower(string.sub(answer, 1, 1))
|
|
|
7941de0 |
doimport = answer == "y" or answer == ""
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
if doimport then
|
|
|
7941de0 |
local execpath = "LANG=C rpm --import "..keyspath.."/"..file
|
|
|
7941de0 |
if quiet then
|
|
|
7941de0 |
execpath = execpath .. " > /dev/null 2>&1"
|
|
|
7941de0 |
end
|
|
|
7941de0 |
if os.execute(execpath) > 0 then
|
|
|
7941de0 |
print(_("Error importing GPG key"))
|
|
|
7941de0 |
else
|
|
|
7941de0 |
missings[keyid] = nil
|
|
|
7941de0 |
keysimported = keysimported + 1
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
if keysimported > 0 then
|
|
|
7941de0 |
gpgcheck(true)
|
|
|
7941de0 |
end
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
if not good then
|
|
|
7941de0 |
table.foreach(errors, showerrors)
|
|
|
7941de0 |
apterror(_("Error(s) while checking package signatures:\n"..unsigned.." unsigned package(s)\n"..missing.." package(s) with missing signatures\n"..illegal.." package(s) with illegal/corrupted signatures\n"..unknown.." unknown error(s)"))
|
|
|
7941de0 |
end
|
|
|
7941de0 |
|
|
|
7941de0 |
-- vim::sts=4:sw=4
|