Make pkg_verify_signature return with modified arguments if it can find

a signed package, but couldn't validate the signature.
Make pkg_info try to validate the signature. It will print an error to
stderr if it can't validate the signature, but otherwise continue.

2 files changed, 35 insertions, 16 deletions

diff --git a/pkgtools/pkg_install/files/info/perform.c b/pkgtools/pkg_install/files/info/perform.c
index 48615ecca2a..8f6f7e1183b 100644
--- a/pkgtools/pkg_install/files/info/perform.c
+++ b/pkgtools/pkg_install/files/info/perform.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: perform.c,v 1.46.2.2 2008/05/23 15:36:48 joerg Exp $	*/
+/*	$NetBSD: perform.c,v 1.46.2.3 2008/07/18 19:10:55 joerg Exp $	*/
 
 #if HAVE_CONFIG_H
 #include "config.h"
@@ -17,7 +17,7 @@
 #if 0
 static const char *rcsid = "from FreeBSD Id: perform.c,v 1.23 1997/10/13 15:03:53 jkh Exp";
 #else
-__RCSID("$NetBSD: perform.c,v 1.46.2.2 2008/05/23 15:36:48 joerg Exp $");
+__RCSID("$NetBSD: perform.c,v 1.46.2.3 2008/07/18 19:10:55 joerg Exp $");
 #endif
 #endif
 
@@ -174,10 +174,10 @@ free_pkg_meta(struct pkg_meta *meta)
 
 #ifndef BOOTSTRAP
 static struct pkg_meta *
-read_meta_data_from_archive(struct archive *archive)
+read_meta_data_from_archive(struct archive *archive,
+    struct archive_entry *entry)
 {
 	struct pkg_meta *meta;
-	struct archive_entry *entry;
 	const char *fname;
 	const struct pkg_meta_desc *descr, *last_descr;
 	char **target;
@@ -192,7 +192,11 @@ read_meta_data_from_archive(struct archive *archive)
 	memset(meta, 0, sizeof(*meta));
 
 	last_descr = 0;
+	if (entry != NULL)
+		goto has_entry;
+
 	while ((r = archive_read_next_header(archive, &entry)) == ARCHIVE_OK) {
+has_entry:
 		fname = archive_entry_pathname(entry);
 
 		for (descr = pkg_meta_descriptors; descr->entry_filename;
@@ -308,11 +312,30 @@ pkg_do(const char *pkg)
 #else
 		struct archive *archive;
 		void *archive_cookie;
+#  ifdef HAVE_SSL
+		void *signature_cookie;
+#  endif
+		struct archive_entry *entry;
+		char *pkgname;
 
 		archive = open_archive(pkg, &archive_cookie);
-
-		meta = read_meta_data_from_archive(archive);
+		if (archive == NULL) {
+			warnx("can't find package `%s', skipped", pkg);
+			return -1;
+		}
+		pkgname = NULL;
+		entry = NULL;
+#  ifdef HAVE_SSL
+		pkg_verify_signature(&archive, &entry, &pkgname,
+		    &signature_cookie);
+#  endif
+		free(pkgname);
+
+		meta = read_meta_data_from_archive(archive, entry);
 		close_archive(archive_cookie);
+#  ifdef HAVE_SSL
+		pkg_free_signature(signature_cookie);
+#  endif
 		if (!IS_URL(pkg))
 			binpkgfile = pkg;
 #endif
diff --git a/pkgtools/pkg_install/files/lib/pkg_signature.c b/pkgtools/pkg_install/files/lib/pkg_signature.c
index 425f37cd1c7..35c6c21b28a 100644
--- a/pkgtools/pkg_install/files/lib/pkg_signature.c
+++ b/pkgtools/pkg_install/files/lib/pkg_signature.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: pkg_signature.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $	*/
+/*	$NetBSD: pkg_signature.c,v 1.1.2.4 2008/07/18 19:10:55 joerg Exp $	*/
 
 #if HAVE_CONFIG_H
 #include "config.h"
@@ -7,7 +7,7 @@
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $");
+__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.4 2008/07/18 19:10:55 joerg Exp $");
 
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
@@ -322,7 +322,7 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry,
 	struct archive *a;
 	char *hash_file, *signature_file;
 	size_t hash_len, signature_len;
-	int r;
+	int r, has_sig;
 
 	*pkgname = NULL;
 	*cookie = NULL;
@@ -355,12 +355,8 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry,
 	if (parse_hash_file(hash_file, pkgname, state))
 		goto no_valid_signature;
 
-	if (easy_pkcs7_verify(hash_file, hash_len, signature_file,
-	    signature_len, certs_packages, 1)) {
-		free(signature_file);
-		free_signature_int(state);
-		goto no_valid_signature;
-	}
+	has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file,
+	    signature_len, certs_packages, 1);
 
 	free(signature_file);
 
@@ -393,7 +389,7 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry,
 	*entry = NULL;
 	*cookie = state;
 
-	return 0;
+	return has_sig ? 0 : -1;
 
 no_valid_signature:
 	return -1;