}
}
+=item check_signature_timestamp ( $what , $timestamp )
+
+Report the WHAT signature TIMESTAMP to the log and raise an exception if
+TIMESTAMP is in the future. A "fuzz factor" avoids timezone issues.
+
+=cut
+
+sub check_signature_timestamp {
+ my $what = ucfirst shift;
+ my $timestamp = shift;
+
+ ftp_syslog('debug', "DEBUG: $what signature made "
+ .strftime('%a %b %d %H:%M:%S %Y %Z',
+ localtime $timestamp)) if DEBUG;
+
+ # Verify that this timestamp is not too far in the future. We allow a
+ # discrepancy of 1 day so we don't have to worry about timezones
+ if ($timestamp > (time() + 24*3600)) {
+ throw signature_from_future => timestamp => $timestamp
+ }
+}
+
=item check_replay ( $oplist, $timestamp )
Check that OPLIST has not been seen before. This is accomplished by
# If a file is to be installed, ensure that this directive is newer than
# any previous directive installing a file under the same full name.
if (grep $_->[0] eq 'install', @$ops) {
-
- ftp_syslog('debug', "DEBUG: Signature made "
- .strftime('%a %b %d %H:%M:%S %Y %Z',
- localtime $timestamp)) if DEBUG;
-
- # Verify that this timestamp is not too far in the future. We allow a
- # discrepancy of 1 day so we don't have to worry about timezones
- if ($timestamp > (time() + 24*3600)) {
- throw signature_from_future => timestamp => $timestamp
- }
-
-
foreach my $installed (map $_->[1], grep $_->[0] eq 'install', @$ops) {
my $full_filename = File::Spec::Unix->catfile($op_header->{directory},
$installed);
throw signature_error => sig_info => $dsig_info,
summary => "gpg verification problem: could not extract timestamp"
unless defined $dsig_info->{sig_creation};
-
- check_replay($oplist, $dsig_info->{sig_creation});
+ check_signature_timestamp(directive => $dsig_info->{sig_creation});
if (find_directive_elements($directive, 'filename')) {
# There is a file associated with this upload; verify its signature now.
File::Spec->catfile($Scratch_dir, $op_header->{filename}.'.sig'),
@keyrings);
- throw signature_error => sig_info => undef,
+ throw signature_error => sig_info => $fsig_info,
summary => "gpg verify of upload file ($op_header->{filename}) failed"
if $fsig_info->{exitcode} != 0 || defined $fsig_info->{TILT};
+ throw signature_error => sig_info => $fsig_info,
+ summary => "gpg verification problem: could not extract timestamp"
+ unless defined $fsig_info->{sig_creation};
+ check_signature_timestamp(file => $fsig_info->{sig_creation});
}
+ check_replay($oplist, $dsig_info->{sig_creation});
+
$Phase = 'VL';
# If the upload carries a file, check it for known Automake CVE issues.
projects / gatekeeper.git / commitdiff