Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost,Pierre Pronchery <khorben%NetBSD.org@localhost>
Subject: Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
From: Alistair Crooks <agc%pkgsrc.org@localhost>
Date: Mon, 9 Sep 2013 03:45:00 +0000 (UTC)

The following reply was made to PR pkg/48194; it has been noted by GNATS.

From: Alistair Crooks <agc%pkgsrc.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: pkg-manager%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost, 
pkgsrc-bugs%NetBSD.org@localhost
Subject: Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
Date: Mon, 9 Sep 2013 05:43:17 +0200

 On Sun, Sep 08, 2013 at 11:30:00PM +0000, Pierre Pronchery wrote:
 > >Description:
 > pkgsrc has been supporting signed packages since 2001, with mechanisms
 > based on either GPG keys or X509 certificates. pkg_add(1) may however
 > fail at installing such packages in some conditions, due to
 > uninitialized variables in the code used to extract the package signed
 > from its container.
 
 Thanks for the PR.
 
 These aren't GPG signatures, they're PGP signatures. gnupg is just one
 implementation of PGP.
 
 > >How-To-Repeat:
 > This example uses a GPG key, which has to be generated beforehand.
 > 
 > Configure pkg_install:
 > $ cat /etc/pkg_install.conf
 > GPG=/home/khorben/bin/gpg
 > GPG_SIGN_AS=root%edgebsd.org@localhost
 > VERIFIED_INSTALLATION=always
 > 
 > Sign a package:
 > $ mkdir signed
 > $ pkg_admin gpg-sign-package digest-20121220.tgz signed/digest-20121220.tgz
 > 
 > Try to install the resulting package:
 > $ pkg_add -v signed/digest-20121220.tgz
 > gpg: Signature made Sun Sep  8 03:32:11 2013 UTC using RSA key ID 6F3AF5E2
 > gpg: Good signature from "EdgeBSD packages <root%edgebsd.org@localhost>"
 > pkg_add: 1 package addition failed
 > 
 > >Fix:
 > 
 > X-Git-Url: 
 > http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff_plain;h=1a4a18342a5d49ce9a93ab0689b4aa04dfc40847
 > 
 > Fixed installation of signed packages (uninitialized variables)
 > ---
 > 
 > diff --git a/pkgtools/pkg_install/files/lib/pkg_signature.c 
 > b/pkgtools/pkg_install/files/lib/pkg_signature.c
 > index 089234e..5e837be 100644
 > --- a/pkgtools/pkg_install/files/lib/pkg_signature.c
 > +++ b/pkgtools/pkg_install/files/lib/pkg_signature.c
 > @@ -326,6 +326,9 @@ pkg_verify_signature(const char *archive_name, struct 
 > archive **archive,
 >      *pkgname = NULL;
 >  
 >      state = xmalloc(sizeof(*state));
 > +    state->sign_block_len = 0;
 > +    state->sign_block_number = 0;
 > +    state->sign_cur_block = 0;
 >      state->sign_blocks = NULL;
 >      state->sign_buf = NULL;
 >      state->archive = NULL;
 
 I'd be mode inclined to initialise with:
 
        state = xcalloc(1, sizeof(*state));
 
 and avoid all the explicit initialisations. Scales better.
  
 Regards,
 Al

Follow-Ups:
- Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
  - From: Pierre Pronchery

Prev by Date: Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
Next by Date: Re: pkg/48194 (Signed packages easily generated and installed)
Previous by Thread: Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
Next by Thread: Re: pkg/48194: Fixing signed packages in pkg_install and pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index