=cut
# TODO: this is currently invoked during EX phase; should be moved to VL
-# phase and signature check factored out to AA phase
sub check_files {
my $directory = shift;
my $header = shift;
my $upload_file = File::Spec->catfile($directory, $header->{filename});
- my $upload_file_size = -s $upload_file;
- my $sig_file = File::Spec->catfile($directory, $header->{filename}.'.sig');
- my $sig_file_size = -s $sig_file;
-
- ftp_syslog('debug', "DEBUG: "
- ."$sig_file size is $sig_file_size") if DEBUG;
- ftp_syslog('debug', "DEBUG: "
- ."$upload_file size is $upload_file_size") if DEBUG;
-
- my @keyrings = directory_keyrings($header->{directory});
- throw package_configuration => package_name => $header->{package},
- summary => "no keyring for package $header->{package}"
- unless @keyrings;
-
- my $sig_info = verify_detached_signature($upload_file, $sig_file, @keyrings);
- throw signature_error => sig_info => undef,
- summary => "gpg verify of upload file ($header->{filename}) failed"
- if $sig_info->{exitcode} != 0 || defined $sig_info->{TILT};
check_vulnerabilities($upload_file);
ftp_syslog('info',"found directive: $packet->[0]");
# variables preserved for the report if an exception is thrown
- my $directive_text; my $directive; my $oplist; my $op_header; my $sig_info;
+ my $directive_text; my $directive; my $oplist; my $op_header;
+ my $dsig_info; # directive signature information
+ my $fsig_info; # file signature information
my @email_addresses; # addresses to receive copies of report
my $complete = 0; # direct flag to indicate successful processing
summary => "no keyring for package $package"
}
- $sig_info = verify_clearsigned_message($directive_text, @keyrings);
+ $dsig_info = verify_clearsigned_message($directive_text, @keyrings);
- throw signature_error => sig_info => $sig_info,
+ throw signature_error => dsig_info => $dsig_info,
summary => "gpg verify of directive file failed"
- if $sig_info->{exitcode} != 0 || defined $sig_info->{TILT};
- throw signature_error => sig_info => $sig_info,
+ if $dsig_info->{exitcode} != 0 || defined $dsig_info->{TILT};
+ throw signature_error => dsig_info => $dsig_info,
summary => "gpg verification problem: could not extract timestamp"
- unless defined $sig_info->{sig_creation};
+ unless defined $dsig_info->{sig_creation};
- check_replay($oplist, $sig_info->{sig_creation});
+ check_replay($oplist, $dsig_info->{sig_creation});
+
+ if (find_directive_elements($directive, 'filename')) {
+ # There is a file associated with this upload; verify its signature now.
+
+ $fsig_info = verify_detached_signature
+ (File::Spec->catfile($Scratch_dir, $op_header->{filename}),
+ File::Spec->catfile($Scratch_dir, $op_header->{filename}.'.sig'),
+ @keyrings);
+
+ throw signature_error => sig_info => undef,
+ summary => "gpg verify of upload file ($op_header->{filename}) failed"
+ if $fsig_info->{exitcode} != 0 || defined $fsig_info->{TILT};
+ }
$Phase = 'EX';
# do the work
projects / gatekeeper.git / commitdiff