From ff2f7797587e6b0a4b6ef86a7d0bfdb08a5c3ffe Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 29 Jan 2021 16:24:14 +0100 Subject: [PATCH] import: properly verify roothash_signature + verity download, too Follow-up for 133b34f69a72dc90d4e336837d699245390c9f50 where this was forgotten. While we are at it, bring the parameters into the same order as we declare them in the PullRaw/PullTar objects, i.e. match them to the canonical order. --- src/import/pull-common.c | 25 +++++++++++-------------- src/import/pull-common.h | 2 +- src/import/pull-raw.c | 9 ++++++++- src/import/pull-tar.c | 9 ++++++++- 4 files changed, 28 insertions(+), 17 deletions(-) diff --git a/src/import/pull-common.c b/src/import/pull-common.c index 403a0952bcf..75c5c7493ec 100644 --- a/src/import/pull-common.c +++ b/src/import/pull-common.c @@ -490,12 +490,15 @@ finish: int pull_verify(ImportVerify verify, PullJob *main_job, - PullJob *roothash_job, - PullJob *settings_job, PullJob *checksum_job, - PullJob *signature_job) { + PullJob *signature_job, + PullJob *settings_job, + PullJob *roothash_job, + PullJob *roothash_signature_job, + PullJob *verity_job) { VerificationStyle style; + PullJob *j; int r; assert(main_job); @@ -513,17 +516,11 @@ int pull_verify(ImportVerify verify, return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Checksum is empty, cannot verify."); - r = verify_one(checksum_job, main_job); - if (r < 0) - return r; - - r = verify_one(checksum_job, roothash_job); - if (r < 0) - return r; - - r = verify_one(checksum_job, settings_job); - if (r < 0) - return r; + FOREACH_POINTER(j, main_job, settings_job, roothash_job, roothash_signature_job, verity_job) { + r = verify_one(checksum_job, j); + if (r < 0) + return r; + } if (verify == IMPORT_VERIFY_CHECKSUM) return 0; diff --git a/src/import/pull-common.h b/src/import/pull-common.h index acbbab7eabf..d420025faba 100644 --- a/src/import/pull-common.h +++ b/src/import/pull-common.h @@ -27,7 +27,7 @@ int pull_make_path(const char *url, const char *etag, const char *image_root, co int pull_make_auxiliary_job(PullJob **ret, const char *url, int (*strip_suffixes)(const char *name, char **ret), const char *suffix, CurlGlue *glue, PullJobFinished on_finished, void *userdata); int pull_make_verification_jobs(PullJob **ret_checksum_job, PullJob **ret_signature_job, ImportVerify verify, const char *url, CurlGlue *glue, PullJobFinished on_finished, void *userdata); -int pull_verify(ImportVerify verify, PullJob *main_job, PullJob *roothash_job, PullJob *settings_job, PullJob *checksum_job, PullJob *signature_job); +int pull_verify(ImportVerify verify, PullJob *main_job, PullJob *checksum_job, PullJob *signature_job, PullJob *settings_job, PullJob *roothash_job, PullJob *roothash_signature_job, PullJob *verity_job); typedef enum VerificationStyle { VERIFICATION_PER_FILE, /* SuSE-style ".sha256" files with inline gpg signature */ diff --git a/src/import/pull-raw.c b/src/import/pull-raw.c index 0985dddef37..c9bda3c3b48 100644 --- a/src/import/pull-raw.c +++ b/src/import/pull-raw.c @@ -542,7 +542,14 @@ static void raw_pull_job_on_finished(PullJob *j) { raw_pull_report_progress(i, RAW_VERIFYING); - r = pull_verify(i->verify, i->raw_job, i->roothash_job, i->settings_job, i->checksum_job, i->signature_job); + r = pull_verify(i->verify, + i->raw_job, + i->checksum_job, + i->signature_job, + i->settings_job, + i->roothash_job, + i->roothash_signature_job, + i->verity_job); if (r < 0) goto finish; diff --git a/src/import/pull-tar.c b/src/import/pull-tar.c index 90f439f998d..a2ba56df2f3 100644 --- a/src/import/pull-tar.c +++ b/src/import/pull-tar.c @@ -336,7 +336,14 @@ static void tar_pull_job_on_finished(PullJob *j) { tar_pull_report_progress(i, TAR_VERIFYING); - r = pull_verify(i->verify, i->tar_job, NULL, i->settings_job, i->checksum_job, i->signature_job); + r = pull_verify(i->verify, + i->tar_job, + i->checksum_job, + i->signature_job, + i->settings_job, + /* roothash_job = */ NULL, + /* roothash_signature_job = */ NULL, + /* verity_job = */ NULL); if (r < 0) goto finish; -- 2.47.3