From: Jacob Bachmeyer <jcb@gnu.org>
Date: Sat, 16 Sep 2023 00:38:24 +0000 (-0500)
Subject: Add additional file signature check to ensure proper staging
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;ds=inline;p=gatekeeper.git

Add additional file signature check to ensure proper staging

There is a (very remote) possibility of the uploaded file being corrupted
while transferring it from the scratch directory to the staging directory,
since this transfer can actually copy data instead of being a simple
rename(2) call.  This commit adds a safeguard against this risk by
rechecking the detached signature after the file pair is moved.

The testsuite is updated accordingly.
---

diff --git a/gatekeeper.pl b/gatekeeper.pl
index 3b1f991..09f5733 100755
--- a/gatekeeper.pl
+++ b/gatekeeper.pl
@@ -2435,6 +2435,19 @@ order.
       (CONF_DIR_Scratch, $self->upload_filename, CONF_DIR_Staging);
     # Staging the file now should avoid the (remote) possibility of
     # encountering ENOSPC during installation.
+
+    # Recheck the detached signature to be certain that the file was
+    # transferred successfully.
+    my $fsig_info = verify_detached_signature
+      (map(File::Spec->catfile(CONF_DIR_Staging, $_),
+	   $self->target_filepair),
+       $self->auth_keyrings);
+
+    die 'GPG signature found to be invalid after staging file'
+      unless $fsig_info->{exitcode} == 0 && !defined $fsig_info->{TILT};
+    # This is a simple error instead of a structured exception because it
+    # indicates a problem with the server.
+
   }
 
   sub install {
diff --git a/testsuite/lib/tool/gatekeeper.exp b/testsuite/lib/tool/gatekeeper.exp
index 1a57962..d72ccc9 100644
--- a/testsuite/lib/tool/gatekeeper.exp
+++ b/testsuite/lib/tool/gatekeeper.exp
@@ -638,18 +638,18 @@ proc analyze_log { base_dir name assess } {
 		     exp_continue
 		 }
 
-	-re {^gatekeeper\[[0-9]+\]: \(Test\) \[(?:AA|RP)\]\
+	-re {^gatekeeper\[[0-9]+\]: \(Test\) \[(?:AA|EX|RP)\]\
 		 DEBUG: [^ ]+ size is [[:digit:]]+} {
 		     # from verify_keyring, upon entry
 		     # also from check_files, twice, upon entry
 		     exp_continue
 		 }
-	-re {^gatekeeper\[[0-9]+\]: \(Test\) \[(?:AA|RP)\]\
+	-re {^gatekeeper\[[0-9]+\]: \(Test\) \[(?:AA|EX|RP)\]\
 		 DEBUG: gpgv command line: [^\r\n]+} {
 		     # from verify_keyring, tracing gpgv call
 		     exp_continue
 		 }
-	-re {^gatekeeper\[[0-9]+\]: \(Test\) \[(?:AA|RP)\]\
+	-re {^gatekeeper\[[0-9]+\]: \(Test\) \[(?:AA|EX|RP)\]\
 		 gpgv exited ([[:digit:]]+)} {
 		     # from verify_keyring, when closing pipe from gpgv
 		     set A(gpgv,exitcode,$expect_out(1,string)) 1