From 27f267b6ca69817e03a82cfe316a4f7470b6465c Mon Sep 17 00:00:00 2001 From: Jacob Bachmeyer Date: Fri, 11 Nov 2022 22:03:44 -0600 Subject: [PATCH] Factor uploaded file signature check up to top-level --- gatekeeper.pl | 48 +++++++++++++++++------------------- testsuite/lib/gatekeeper.exp | 2 +- 2 files changed, 23 insertions(+), 27 deletions(-) diff --git a/gatekeeper.pl b/gatekeeper.pl index b2efe10..680a8e3 100755 --- a/gatekeeper.pl +++ b/gatekeeper.pl @@ -2399,30 +2399,11 @@ An exception is thrown if any of the checks fail. =cut # TODO: this is currently invoked during EX phase; should be moved to VL -# phase and signature check factored out to AA phase sub check_files { my $directory = shift; my $header = shift; my $upload_file = File::Spec->catfile($directory, $header->{filename}); - my $upload_file_size = -s $upload_file; - my $sig_file = File::Spec->catfile($directory, $header->{filename}.'.sig'); - my $sig_file_size = -s $sig_file; - - ftp_syslog('debug', "DEBUG: " - ."$sig_file size is $sig_file_size") if DEBUG; - ftp_syslog('debug', "DEBUG: " - ."$upload_file size is $upload_file_size") if DEBUG; - - my @keyrings = directory_keyrings($header->{directory}); - throw package_configuration => package_name => $header->{package}, - summary => "no keyring for package $header->{package}" - unless @keyrings; - - my $sig_info = verify_detached_signature($upload_file, $sig_file, @keyrings); - throw signature_error => sig_info => undef, - summary => "gpg verify of upload file ($header->{filename}) failed" - if $sig_info->{exitcode} != 0 || defined $sig_info->{TILT}; check_vulnerabilities($upload_file); @@ -2754,7 +2735,9 @@ foreach my $packet (@packets) { # each list element is an array reference ftp_syslog('info',"found directive: $packet->[0]"); # variables preserved for the report if an exception is thrown - my $directive_text; my $directive; my $oplist; my $op_header; my $sig_info; + my $directive_text; my $directive; my $oplist; my $op_header; + my $dsig_info; # directive signature information + my $fsig_info; # file signature information my @email_addresses; # addresses to receive copies of report my $complete = 0; # direct flag to indicate successful processing @@ -2810,16 +2793,29 @@ foreach my $packet (@packets) { # each list element is an array reference summary => "no keyring for package $package" } - $sig_info = verify_clearsigned_message($directive_text, @keyrings); + $dsig_info = verify_clearsigned_message($directive_text, @keyrings); - throw signature_error => sig_info => $sig_info, + throw signature_error => dsig_info => $dsig_info, summary => "gpg verify of directive file failed" - if $sig_info->{exitcode} != 0 || defined $sig_info->{TILT}; - throw signature_error => sig_info => $sig_info, + if $dsig_info->{exitcode} != 0 || defined $dsig_info->{TILT}; + throw signature_error => dsig_info => $dsig_info, summary => "gpg verification problem: could not extract timestamp" - unless defined $sig_info->{sig_creation}; + unless defined $dsig_info->{sig_creation}; - check_replay($oplist, $sig_info->{sig_creation}); + check_replay($oplist, $dsig_info->{sig_creation}); + + if (find_directive_elements($directive, 'filename')) { + # There is a file associated with this upload; verify its signature now. + + $fsig_info = verify_detached_signature + (File::Spec->catfile($Scratch_dir, $op_header->{filename}), + File::Spec->catfile($Scratch_dir, $op_header->{filename}.'.sig'), + @keyrings); + + throw signature_error => sig_info => undef, + summary => "gpg verify of upload file ($op_header->{filename}) failed" + if $fsig_info->{exitcode} != 0 || defined $fsig_info->{TILT}; + } $Phase = 'EX'; # do the work diff --git a/testsuite/lib/gatekeeper.exp b/testsuite/lib/gatekeeper.exp index 6c28f74..1da3f26 100644 --- a/testsuite/lib/gatekeeper.exp +++ b/testsuite/lib/gatekeeper.exp @@ -803,7 +803,7 @@ proc analyze_log { base_dir name assess } { exp_continue } - -re {^gatekeeper\[[0-9]+\]: \(Test\) \[EX\]\ + -re {^gatekeeper\[[0-9]+\]: \(Test\) \[(?:AA|EX)\]\ gpg verify of upload file [(]([^)]+)\) failed} { # from check_files, when no keys match set A(gpgv,upload-verify-failed) 1 -- 2.25.1