From 0108e9ea4977ac730b5064b8198fe0ffd74df767 Mon Sep 17 00:00:00 2001 From: Denis Pynkin Date: Tue, 21 May 2019 01:35:25 +0300 Subject: gpg: conditionally build GPG-related code for sign/verification Do not build the code related to GPG sign and verification if GPGME support is disabled. Public functions return error 'G_IO_ERROR_NOT_SUPPORTED' in case if gpg-related check is rquested. Signed-off-by: Denis Pynkin Closes: #1889 Approved by: cgwalters --- src/libostree/ostree-core-private.h | 2 + src/libostree/ostree-core.c | 2 + src/libostree/ostree-repo-private.h | 2 + src/libostree/ostree-repo-pull.c | 55 +++++++++++++++++-- src/libostree/ostree-repo.c | 97 +++++++++++++++++++++++++++++++++- src/libostree/ostree-repo.h | 68 ++++++++++++------------ src/libotutil/otutil.h | 5 +- src/ostree/main.c | 2 + src/ostree/ot-admin-builtin-status.c | 4 ++ src/ostree/ot-builtin-commit.c | 6 +++ src/ostree/ot-builtin-pull.c | 4 ++ src/ostree/ot-builtin-remote.c | 2 + src/ostree/ot-builtin-show.c | 2 + src/ostree/ot-builtin-summary.c | 2 + src/ostree/ot-builtins.h | 2 + src/ostree/ot-main.c | 2 + src/ostree/ot-remote-builtin-add.c | 4 ++ src/ostree/ot-remote-builtin-summary.c | 4 ++ 18 files changed, 225 insertions(+), 40 deletions(-) diff --git a/src/libostree/ostree-core-private.h b/src/libostree/ostree-core-private.h index dd2cbc7e..43cf22c4 100644 --- a/src/libostree/ostree-core-private.h +++ b/src/libostree/ostree-core-private.h @@ -190,9 +190,11 @@ _ostree_repo_mode_is_bare (OstreeRepoMode mode) mode == OSTREE_REPO_MODE_BARE_USER_ONLY; } +#ifndef OSTREE_DISABLE_GPGME GVariant * _ostree_detached_metadata_append_gpg_sig (GVariant *existing_metadata, GBytes *signature_bytes); +#endif GFile * _ostree_get_default_sysroot_path (void); diff --git a/src/libostree/ostree-core.c b/src/libostree/ostree-core.c index 36539698..3d16757e 100644 --- a/src/libostree/ostree-core.c +++ b/src/libostree/ostree-core.c @@ -2462,6 +2462,7 @@ _ostree_compare_timestamps (const char *current_rev, } +#ifndef OSTREE_DISABLE_GPGME GVariant * _ostree_detached_metadata_append_gpg_sig (GVariant *existing_metadata, GBytes *signature_bytes) @@ -2487,6 +2488,7 @@ _ostree_detached_metadata_append_gpg_sig (GVariant *existing_metadata, return g_variant_dict_end (&metadata_dict); } +#endif /* OSTREE_DISABLE_GPGME */ /** * _ostree_get_default_sysroot_path: diff --git a/src/libostree/ostree-repo-private.h b/src/libostree/ostree-repo-private.h index 6bc74c2d..b57ad799 100644 --- a/src/libostree/ostree-repo-private.h +++ b/src/libostree/ostree-repo-private.h @@ -332,6 +332,7 @@ _ostree_repo_commit_modifier_apply (OstreeRepo *self, gboolean _ostree_repo_remote_name_is_file (const char *remote_name); +#ifndef OSTREE_DISABLE_GPGME OstreeGpgVerifyResult * _ostree_repo_gpg_verify_with_metadata (OstreeRepo *self, GBytes *signed_data, @@ -350,6 +351,7 @@ _ostree_repo_verify_commit_internal (OstreeRepo *self, GFile *extra_keyring, GCancellable *cancellable, GError **error); +#endif /* OSTREE_DISABLE_GPGME */ typedef enum { _OSTREE_REPO_IMPORT_FLAGS_NONE, diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c index 04551f2c..7889eeb2 100644 --- a/src/libostree/ostree-repo-pull.c +++ b/src/libostree/ostree-repo-pull.c @@ -104,9 +104,9 @@ typedef struct { gint n_scanned_metadata; gboolean gpg_verify; + gboolean gpg_verify_summary; gboolean require_static_deltas; gboolean disable_static_deltas; - gboolean gpg_verify_summary; gboolean has_tombstone_commits; GBytes *summary_data; @@ -1294,7 +1294,7 @@ meta_fetch_on_complete (GObject *object, if (!_ostree_verify_metadata_object (objtype, checksum, metadata, error)) goto out; - /* For commit objects, check the GPG signature before writing to the repo, + /* For commit objects, check the signature before writing to the repo, * and also write the .commitpartial to say that we're still processing * this commit. */ @@ -1433,6 +1433,7 @@ static_deltapart_fetch_on_complete (GObject *object, g_clear_pointer (&fetch_data, fetch_static_delta_data_free); } +#ifndef OSTREE_DISABLE_GPGME static gboolean process_verify_result (OtPullData *pull_data, const char *checksum, @@ -1462,6 +1463,7 @@ process_verify_result (OtPullData *pull_data, return TRUE; } +#endif /* OSTREE_DISABLE_GPGME */ static gboolean gpg_verify_unwritten_commit (OtPullData *pull_data, @@ -1472,6 +1474,7 @@ gpg_verify_unwritten_commit (OtPullData *pull_data, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME if (pull_data->gpg_verify) { const char *keyring_remote = NULL; @@ -1494,6 +1497,7 @@ gpg_verify_unwritten_commit (OtPullData *pull_data, if (!process_verify_result (pull_data, checksum, result, error)) return FALSE; } +#endif /* OSTREE_DISABLE_GPGME */ return TRUE; } @@ -1702,6 +1706,7 @@ ostree_repo_resolve_keyring_for_collection (OstreeRepo *self, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME gsize i; g_auto(GStrv) remotes = NULL; g_autoptr(OstreeRemote) keyring_remote = NULL; @@ -1763,6 +1768,12 @@ ostree_repo_resolve_keyring_for_collection (OstreeRepo *self, collection_id); return NULL; } +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return NULL; +#endif /* OSTREE_DISABLE_GPGME */ } #ifdef HAVE_LIBCURL_OR_LIBSOUP @@ -1792,6 +1803,7 @@ scan_commit_object (OtPullData *pull_data, GINT_TO_POINTER (depth)); } +#ifndef OSTREE_DISABLE_GPGME /* See comment in process_verify_result() - we now gpg check before writing, * but also ensure we've done it here if not already. */ @@ -1814,6 +1826,7 @@ scan_commit_object (OtPullData *pull_data, if (!process_verify_result (pull_data, checksum, result, error)) return FALSE; } +#endif /* OSTREE_DISABLE_GPGME */ /* If we found a legacy transaction flag, assume we have to scan. * We always do a scan of dirtree objects; see @@ -2742,6 +2755,7 @@ on_superblock_fetched (GObject *src, ot_checksum_update_bytes (&hasher, delta_superblock_data); ot_checksum_get_digest (&hasher, actual_summary_digest, sizeof (actual_summary_digest)); +#ifndef OSTREE_DISABLE_GPGME /* At this point we've GPG verified the data, so in theory * could trust that they provided the right data, but let's * make this a hard error. @@ -2752,6 +2766,7 @@ on_superblock_fetched (GObject *src, "GPG verification enabled, but no summary signatures found (use gpg-verify-summary=false in remote config to disable)"); goto out; } +#endif /* OSTREE_DISABLE_GPGME */ if (expected_summary_digest && memcmp (expected_summary_digest, actual_summary_digest, sizeof (actual_summary_digest))) { @@ -3618,6 +3633,17 @@ ostree_repo_pull_with_options (OstreeRepo *self, pull_data->remote_name = g_strdup (pull_data->remote_refspec_name); } +#ifdef OSTREE_DISABLE_GPGME + /* Explicitly fail here if gpg verification is requested and we have no GPG support */ + if (opt_gpg_verify_set || opt_gpg_verify_summary_set) + { + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + goto out; + } +#endif + g_return_val_if_fail (OSTREE_IS_REPO (self), FALSE); g_return_val_if_fail (pull_data->maxdepth >= -1, FALSE); g_return_val_if_fail (!pull_data->timestamp_check || pull_data->maxdepth == 0, FALSE); @@ -3745,6 +3771,7 @@ ostree_repo_pull_with_options (OstreeRepo *self, g_free (pull_data->remote_name); pull_data->remote_name = g_strdup (remote_name_or_baseurl); +#ifndef OSTREE_DISABLE_GPGME /* Fetch GPG verification settings from remote if it wasn't already * explicitly set in the options. */ if (!opt_gpg_verify_set) @@ -3756,6 +3783,7 @@ ostree_repo_pull_with_options (OstreeRepo *self, if (!ostree_repo_remote_get_gpg_verify_summary (self, pull_data->remote_name, &pull_data->gpg_verify_summary, error)) goto out; +#endif /* OSTREE_DISABLE_GPGME */ /* NOTE: If changing this, see the matching implementation in * ostree-sysroot-upgrader.c @@ -4060,12 +4088,14 @@ ostree_repo_pull_with_options (OstreeRepo *self, goto out; } +#ifndef OSTREE_DISABLE_GPGME if (!bytes_summary && pull_data->gpg_verify_summary) { g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND, "GPG verification enabled, but no summary found (use gpg-verify-summary=false in remote config to disable)"); goto out; } +#endif /* OSTREE_DISABLE_GPGME */ if (!bytes_summary && pull_data->require_static_deltas) { @@ -4074,6 +4104,7 @@ ostree_repo_pull_with_options (OstreeRepo *self, goto out; } +#ifndef OSTREE_DISABLE_GPGME if (!bytes_sig && pull_data->gpg_verify_summary) { g_set_error (error, OSTREE_GPG_ERROR, OSTREE_GPG_ERROR_NO_SIGNATURE, @@ -4132,6 +4163,7 @@ ostree_repo_pull_with_options (OstreeRepo *self, } } } +#endif /* OSTREE_DISABLE_GPGME */ if (bytes_summary) { @@ -4614,6 +4646,7 @@ ostree_repo_pull_with_options (OstreeRepo *self, pull_data->remote_name, g_hash_table_size (requested_refs_to_fetch)); const char *gpg_verify_state; +#ifndef OSTREE_DISABLE_GPGME if (pull_data->gpg_verify_summary) { if (pull_data->gpg_verify) @@ -4624,6 +4657,11 @@ ostree_repo_pull_with_options (OstreeRepo *self, else gpg_verify_state = (pull_data->gpg_verify ? "commit" : "disabled"); g_string_append_printf (msg, "\nsecurity: GPG: %s ", gpg_verify_state); +#else + gpg_verify_state = "disabled"; + g_string_append_printf (msg, "\nsecurity: %s ", gpg_verify_state); +#endif /* OSTREE_DISABLE_GPGME */ + OstreeFetcherURI *first_uri = pull_data->meta_mirrorlist->pdata[0]; g_autofree char *first_scheme = _ostree_fetcher_uri_get_scheme (first_uri); if (g_str_has_prefix (first_scheme, "http")) @@ -5970,7 +6008,11 @@ ostree_repo_pull_from_remotes_async (OstreeRepo *self, g_variant_dict_insert (&local_options_dict, "flags", "i", OSTREE_REPO_PULL_FLAGS_UNTRUSTED | flags); g_variant_dict_insert_value (&local_options_dict, "collection-refs", g_variant_builder_end (&refs_to_pull_builder)); +#ifndef OSTREE_DISABLE_GPGME g_variant_dict_insert (&local_options_dict, "gpg-verify", "b", TRUE); +#else + g_variant_dict_insert (&local_options_dict, "gpg-verify", "b", FALSE); +#endif /* OSTREE_DISABLE_GPGME */ g_variant_dict_insert (&local_options_dict, "gpg-verify-summary", "b", FALSE); g_variant_dict_insert (&local_options_dict, "inherit-transaction", "b", TRUE); if (result->remote->refspec_name != NULL) @@ -6118,8 +6160,10 @@ ostree_repo_remote_fetch_summary_with_options (OstreeRepo *self, g_autofree char *metalink_url_string = NULL; g_autoptr(GBytes) summary = NULL; g_autoptr(GBytes) signatures = NULL; - gboolean ret = FALSE; +#ifndef OSTREE_DISABLE_GPGME gboolean gpg_verify_summary; +#endif + gboolean ret = FALSE; gboolean summary_is_from_cache; g_return_val_if_fail (OSTREE_REPO (self), FALSE); @@ -6140,6 +6184,7 @@ ostree_repo_remote_fetch_summary_with_options (OstreeRepo *self, error)) goto out; +#ifndef OSTREE_DISABLE_GPGME if (!ostree_repo_remote_get_gpg_verify_summary (self, name, &gpg_verify_summary, error)) goto out; @@ -6193,6 +6238,10 @@ ostree_repo_remote_fetch_summary_with_options (OstreeRepo *self, } } +#else + g_message ("%s: GPG feature is disabled in a build time", __FUNCTION__); +#endif /* OSTREE_DISABLE_GPGME */ + if (out_summary != NULL) *out_summary = g_steal_pointer (&summary); diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c index 804ff6c6..eb652bef 100644 --- a/src/libostree/ostree-repo.c +++ b/src/libostree/ostree-repo.c @@ -139,9 +139,11 @@ G_STATIC_ASSERT(sizeof(OstreeRepoPruneOptions) == typedef struct { GObjectClass parent_class; +#ifndef OSTREE_DISABLE_GPGME void (*gpg_verify_result) (OstreeRepo *self, const char *checksum, OstreeGpgVerifyResult *result); +#endif } OstreeRepoClass; enum { @@ -157,7 +159,9 @@ enum { LAST_SIGNAL }; +#ifndef OSTREE_DISABLE_GPGME static guint signals[LAST_SIGNAL] = { 0 }; +#endif G_DEFINE_TYPE (OstreeRepo, ostree_repo, G_TYPE_OBJECT) @@ -1167,6 +1171,7 @@ ostree_repo_class_init (OstreeRepoClass *klass) NULL, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY)); +#ifndef OSTREE_DISABLE_GPGME /** * OstreeRepo::gpg-verify-result: * @self: an #OstreeRepo @@ -1189,23 +1194,27 @@ ostree_repo_class_init (OstreeRepoClass *klass) G_TYPE_NONE, 2, G_TYPE_STRING, OSTREE_TYPE_GPG_VERIFY_RESULT); +#endif /* OSTREE_DISABLE_GPGME */ } static void ostree_repo_init (OstreeRepo *self) { - static gsize gpgme_initialized; const GDebugKey test_error_keys[] = { { "pre-commit", OSTREE_REPO_TEST_ERROR_PRE_COMMIT }, { "invalid-cache", OSTREE_REPO_TEST_ERROR_INVALID_CACHE }, }; +#ifndef OSTREE_DISABLE_GPGME + static gsize gpgme_initialized; + if (g_once_init_enter (&gpgme_initialized)) { gpgme_check_version (NULL); gpgme_set_locale (NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL)); g_once_init_leave (&gpgme_initialized, 1); } +#endif self->test_error_flags = g_parse_debug_string (g_getenv ("OSTREE_REPO_TEST_ERROR"), test_error_keys, G_N_ELEMENTS (test_error_keys)); @@ -2017,8 +2026,17 @@ ostree_repo_remote_get_gpg_verify (OstreeRepo *self, return TRUE; } - return ostree_repo_get_remote_boolean_option (self, name, "gpg-verify", +#ifndef OSTREE_DISABLE_GPGME + return ostree_repo_get_remote_boolean_option (self, name, "gpg-verify", TRUE, out_gpg_verify, error); +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + if (out_gpg_verify != NULL) + *out_gpg_verify = FALSE; + return FALSE; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -2040,8 +2058,17 @@ ostree_repo_remote_get_gpg_verify_summary (OstreeRepo *self, gboolean *out_gpg_verify_summary, GError **error) { +#ifndef OSTREE_DISABLE_GPGME return ostree_repo_get_remote_boolean_option (self, name, "gpg-verify-summary", FALSE, out_gpg_verify_summary, error); +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + if (out_gpg_verify_summary != NULL) + *out_gpg_verify_summary = FALSE; + return FALSE; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -2074,6 +2101,7 @@ ostree_repo_remote_gpg_import (OstreeRepo *self, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME OstreeRemote *remote; g_auto(gpgme_ctx_t) source_context = NULL; g_auto(gpgme_ctx_t) target_context = NULL; @@ -2313,6 +2341,12 @@ out: g_prefix_error (error, "GPG: "); return ret; +#else /* OSTREE_DISABLE_GPGME */ + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return FALSE; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -4904,6 +4938,7 @@ ostree_repo_append_gpg_signature (OstreeRepo *self, error)) return FALSE; +#ifndef OSTREE_DISABLE_GPGME g_autoptr(GVariant) new_metadata = _ostree_detached_metadata_append_gpg_sig (metadata, signature_bytes); @@ -4915,8 +4950,15 @@ ostree_repo_append_gpg_signature (OstreeRepo *self, return FALSE; return TRUE; +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return FALSE; +#endif /* OSTREE_DISABLE_GPGME */ } +#ifndef OSTREE_DISABLE_GPGME static gboolean sign_data (OstreeRepo *self, GBytes *input_data, @@ -4977,6 +5019,7 @@ sign_data (OstreeRepo *self, *out_signature = g_mapped_file_get_bytes (signature_file); return TRUE; } +#endif /* OSTREE_DISABLE_GPGME */ /** * ostree_repo_sign_commit: @@ -4997,6 +5040,7 @@ ostree_repo_sign_commit (OstreeRepo *self, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME g_autoptr(GBytes) commit_data = NULL; g_autoptr(GBytes) signature = NULL; @@ -5060,6 +5104,10 @@ ostree_repo_sign_commit (OstreeRepo *self, return FALSE; return TRUE; +#else + /* FIXME: Return false until refactoring */ + return FALSE; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -5106,6 +5154,7 @@ ostree_repo_add_gpg_signature_summary (OstreeRepo *self, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME glnx_autofd int fd = -1; if (!glnx_openat_rdonly (self->repo_dir_fd, "summary", TRUE, &fd, error)) return FALSE; @@ -5148,8 +5197,15 @@ ostree_repo_add_gpg_signature_summary (OstreeRepo *self, return FALSE; return TRUE; +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return FALSE; +#endif /* OSTREE_DISABLE_GPGME */ } +#ifndef OSTREE_DISABLE_GPGME /* Special remote for _ostree_repo_gpg_verify_with_metadata() */ static const char *OSTREE_ALL_REMOTES = "__OSTREE_ALL_REMOTES__"; @@ -5383,6 +5439,7 @@ _ostree_repo_verify_commit_internal (OstreeRepo *self, keyringdir, extra_keyring, cancellable, error); } +#endif /* OSTREE_DISABLE_GPGME */ /** * ostree_repo_verify_commit: @@ -5406,6 +5463,7 @@ ostree_repo_verify_commit (OstreeRepo *self, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME g_autoptr(OstreeGpgVerifyResult) result = NULL; result = ostree_repo_verify_commit_ext (self, commit_checksum, @@ -5415,6 +5473,13 @@ ostree_repo_verify_commit (OstreeRepo *self, if (!ostree_gpg_verify_result_require_valid_signature (result, error)) return glnx_prefix_error (error, "Commit %s", commit_checksum); return TRUE; +#else + /* FIXME: Return false until refactoring */ + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return FALSE; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -5439,6 +5504,7 @@ ostree_repo_verify_commit_ext (OstreeRepo *self, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME return _ostree_repo_verify_commit_internal (self, commit_checksum, NULL, @@ -5446,6 +5512,12 @@ ostree_repo_verify_commit_ext (OstreeRepo *self, extra_keyring, cancellable, error); +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return NULL; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -5471,6 +5543,7 @@ ostree_repo_verify_commit_for_remote (OstreeRepo *self, GCancellable *cancellable, GError **error) { +#ifndef OSTREE_DISABLE_GPGME return _ostree_repo_verify_commit_internal (self, commit_checksum, remote_name, @@ -5478,6 +5551,12 @@ ostree_repo_verify_commit_for_remote (OstreeRepo *self, NULL, cancellable, error); +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return NULL; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -5515,6 +5594,7 @@ ostree_repo_gpg_verify_data (OstreeRepo *self, g_return_val_if_fail (data != NULL, NULL); g_return_val_if_fail (signatures != NULL, NULL); +#ifndef OSTREE_DISABLE_GPGME return _ostree_repo_gpg_verify_data_internal (self, (remote_name != NULL) ? remote_name : OSTREE_ALL_REMOTES, data, @@ -5523,6 +5603,12 @@ ostree_repo_gpg_verify_data (OstreeRepo *self, extra_keyring, cancellable, error); +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return NULL; +#endif /* OSTREE_DISABLE_GPGME */ } /** @@ -5557,6 +5643,7 @@ ostree_repo_verify_summary (OstreeRepo *self, signatures_variant = g_variant_new_from_bytes (OSTREE_SUMMARY_SIG_GVARIANT_FORMAT, signatures, FALSE); +#ifndef OSTREE_DISABLE_GPGME return _ostree_repo_gpg_verify_with_metadata (self, summary, signatures_variant, @@ -5564,6 +5651,12 @@ ostree_repo_verify_summary (OstreeRepo *self, NULL, NULL, cancellable, error); +#else + g_set_error (error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED, + "'%s': GPG feature is disabled in a build time", + __FUNCTION__); + return NULL; +#endif /* OSTREE_DISABLE_GPGME */ } /* Add an entry for a @ref ↦ @checksum mapping to an `a(s(t@ay@a{sv}))` diff --git a/src/libostree/ostree-repo.h b/src/libostree/ostree-repo.h index b5af2f82..038bbd41 100644 --- a/src/libostree/ostree-repo.h +++ b/src/libostree/ostree-repo.h @@ -199,18 +199,6 @@ gboolean ostree_repo_remote_get_url (OstreeRepo *self, char **out_url, GError **error); -_OSTREE_PUBLIC -gboolean ostree_repo_remote_get_gpg_verify (OstreeRepo *self, - const char *name, - gboolean *out_gpg_verify, - GError **error); - -_OSTREE_PUBLIC -gboolean ostree_repo_remote_get_gpg_verify_summary (OstreeRepo *self, - const char *name, - gboolean *out_gpg_verify_summary, - GError **error); - _OSTREE_PUBLIC gboolean ostree_repo_get_remote_option (OstreeRepo *self, const char *remote_name, @@ -234,14 +222,6 @@ gboolean ostree_repo_get_remote_boolean_option (OstreeRepo *self, gboolean *out_value, GError **error); -_OSTREE_PUBLIC -gboolean ostree_repo_remote_gpg_import (OstreeRepo *self, - const char *name, - GInputStream *source_stream, - const char * const *key_ids, - guint *out_imported, - GCancellable *cancellable, - GError **error); _OSTREE_PUBLIC gboolean ostree_repo_remote_fetch_summary (OstreeRepo *self, @@ -1337,20 +1317,6 @@ gboolean ostree_repo_sign_delta (OstreeRepo *self, GCancellable *cancellable, GError **error); -_OSTREE_PUBLIC -gboolean -ostree_repo_add_gpg_signature_summary (OstreeRepo *self, - const gchar **key_id, - const gchar *homedir, - GCancellable *cancellable, - GError **error); - -_OSTREE_PUBLIC -gboolean ostree_repo_append_gpg_signature (OstreeRepo *self, - const gchar *commit_checksum, - GBytes *signature_bytes, - GCancellable *cancellable, - GError **error); _OSTREE_PUBLIC gboolean ostree_repo_verify_commit (OstreeRepo *self, @@ -1360,6 +1326,40 @@ gboolean ostree_repo_verify_commit (OstreeRepo *self, GCancellable *cancellable, GError **error); +_OSTREE_PUBLIC +gboolean ostree_repo_remote_get_gpg_verify (OstreeRepo *self, + const char *name, + gboolean *out_gpg_verify, + GError **error); + +_OSTREE_PUBLIC +gboolean ostree_repo_remote_get_gpg_verify_summary (OstreeRepo *self, + const char *name, + gboolean *out_gpg_verify_summary, + GError **error); +_OSTREE_PUBLIC +gboolean ostree_repo_remote_gpg_import (OstreeRepo *self, + const char *name, + GInputStream *source_stream, + const char * const *key_ids, + guint *out_imported, + GCancellable *cancellable, + GError **error); + +_OSTREE_PUBLIC +gboolean ostree_repo_add_gpg_signature_summary (OstreeRepo *self, + const gchar **key_id, + const gchar *homedir, + GCancellable *cancellable, + GError **error); + +_OSTREE_PUBLIC +gboolean ostree_repo_append_gpg_signature (OstreeRepo *self, + const gchar *commit_checksum, + GBytes *signature_bytes, + GCancellable *cancellable, + GError **error); + _OSTREE_PUBLIC OstreeGpgVerifyResult * ostree_repo_verify_commit_ext (OstreeRepo *self, const gchar *commit_checksum, diff --git a/src/libotutil/otutil.h b/src/libotutil/otutil.h index 8f1bd4e7..cd312365 100644 --- a/src/libotutil/otutil.h +++ b/src/libotutil/otutil.h @@ -60,6 +60,9 @@ #include #include #include -#include #include #include + +#ifndef OSTREE_DISABLE_GPGME +#include +#endif diff --git a/src/ostree/main.c b/src/ostree/main.c index c5b45012..a523ff9a 100644 --- a/src/ostree/main.c +++ b/src/ostree/main.c @@ -72,9 +72,11 @@ static OstreeCommand commands[] = { { "fsck", OSTREE_BUILTIN_FLAG_NONE, ostree_builtin_fsck, "Check the repository for consistency" }, +#ifndef OSTREE_DISABLE_GPGME { "gpg-sign", OSTREE_BUILTIN_FLAG_NONE, ostree_builtin_gpg_sign, "Sign a commit" }, +#endif /* OSTREE_DISABLE_GPGME */ { "init", OSTREE_BUILTIN_FLAG_NO_CHECK, ostree_builtin_init, "Initialize a new empty repository" }, diff --git a/src/ostree/ot-admin-builtin-status.c b/src/ostree/ot-admin-builtin-status.c index e625a927..c6c52382 100644 --- a/src/ostree/ot-admin-builtin-status.c +++ b/src/ostree/ot-admin-builtin-status.c @@ -35,6 +35,7 @@ static GOptionEntry options[] = { { NULL } }; +#ifndef OSTREE_DISABLE_GPGME static gboolean deployment_get_gpg_verify (OstreeDeployment *deployment, OstreeRepo *repo) @@ -61,6 +62,7 @@ deployment_get_gpg_verify (OstreeDeployment *deployment, return gpg_verify; } +#endif /* OSTREE_DISABLE_GPGME */ static gboolean @@ -136,6 +138,7 @@ deployment_print_status (OstreeSysroot *sysroot, g_print (" `- %s\n", source_title); } +#ifndef OSTREE_DISABLE_GPGME if (deployment_get_gpg_verify (deployment, repo)) { g_autoptr(GString) output_buffer = g_string_sized_new (256); @@ -168,6 +171,7 @@ deployment_print_status (OstreeSysroot *sysroot, g_print ("%s", output_buffer->str); } +#endif /* OSTREE_DISABLE_GPGME */ return TRUE; } diff --git a/src/ostree/ot-builtin-commit.c b/src/ostree/ot-builtin-commit.c index 854983db..43eb18b3 100644 --- a/src/ostree/ot-builtin-commit.c +++ b/src/ostree/ot-builtin-commit.c @@ -60,8 +60,10 @@ static char **opt_trees; static gint opt_owner_uid = -1; static gint opt_owner_gid = -1; static gboolean opt_table_output; +#ifndef OSTREE_DISABLE_GPGME static char **opt_key_ids; static char *opt_gpg_homedir; +#endif static gboolean opt_generate_sizes; static gboolean opt_disable_fsync; static char *opt_timestamp; @@ -114,8 +116,10 @@ static GOptionEntry options[] = { { "skip-list", 0, 0, G_OPTION_ARG_FILENAME, &opt_skiplist_file, "File containing list of files to skip", "PATH" }, { "consume", 0, 0, G_OPTION_ARG_NONE, &opt_consume, "Consume (delete) content after commit (for local directories)", NULL }, { "table-output", 0, 0, G_OPTION_ARG_NONE, &opt_table_output, "Output more information in a KEY: VALUE format", NULL }, +#ifndef OSTREE_DISABLE_GPGME { "gpg-sign", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_key_ids, "GPG Key ID to sign the commit with", "KEY-ID"}, { "gpg-homedir", 0, 0, G_OPTION_ARG_FILENAME, &opt_gpg_homedir, "GPG Homedir to use when looking for keyrings", "HOMEDIR"}, +#endif { "generate-sizes", 0, 0, G_OPTION_ARG_NONE, &opt_generate_sizes, "Generate size information along with commit metadata", NULL }, { "disable-fsync", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_NONE, &opt_disable_fsync, "Do not invoke fsync()", NULL }, { "fsync", 0, 0, G_OPTION_ARG_CALLBACK, parse_fsync_cb, "Specify how to invoke fsync()", "POLICY" }, @@ -813,6 +817,7 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio goto out; } +#ifndef OSTREE_DISABLE_GPGME if (opt_key_ids) { char **iter; @@ -830,6 +835,7 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio goto out; } } +#endif if (opt_branch) ostree_repo_transaction_set_ref (repo, NULL, opt_branch, commit_checksum); diff --git a/src/ostree/ot-builtin-pull.c b/src/ostree/ot-builtin-pull.c index c68cbc46..1fae0a38 100644 --- a/src/ostree/ot-builtin-pull.c +++ b/src/ostree/ot-builtin-pull.c @@ -77,6 +77,7 @@ static GOptionEntry options[] = { { NULL } }; +#ifndef OSTREE_DISABLE_GPGME static void gpg_verify_result_cb (OstreeRepo *repo, const char *checksum, @@ -93,6 +94,7 @@ gpg_verify_result_cb (OstreeRepo *repo, glnx_console_lock (console); } +#endif /* OSTREE_DISABLE_GPGME */ static gboolean printed_console_progress; @@ -360,9 +362,11 @@ ostree_builtin_pull (int argc, char **argv, OstreeCommandInvocation *invocation, if (console.is_tty) { +#ifndef OSTREE_DISABLE_GPGME signal_handler_id = g_signal_connect (repo, "gpg-verify-result", G_CALLBACK (gpg_verify_result_cb), &console); +#endif /* OSTREE_DISABLE_GPGME */ } options = g_variant_ref_sink (g_variant_builder_end (&builder)); diff --git a/src/ostree/ot-builtin-remote.c b/src/ostree/ot-builtin-remote.c index 0712d5bf..6b3f6a26 100644 --- a/src/ostree/ot-builtin-remote.c +++ b/src/ostree/ot-builtin-remote.c @@ -40,9 +40,11 @@ static OstreeCommand remote_subcommands[] = { { "list", OSTREE_BUILTIN_FLAG_NONE, ot_remote_builtin_list, "List remote repository names" }, +#ifndef OSTREE_DISABLE_GPGME { "gpg-import", OSTREE_BUILTIN_FLAG_NONE, ot_remote_builtin_gpg_import, "Import GPG keys" }, +#endif /* OSTREE_DISABLE_GPGME */ #ifdef HAVE_LIBCURL_OR_LIBSOUP { "add-cookie", OSTREE_BUILTIN_FLAG_NONE, ot_remote_builtin_add_cookie, diff --git a/src/ostree/ot-builtin-show.c b/src/ostree/ot-builtin-show.c index aca2cddd..5091a93c 100644 --- a/src/ostree/ot-builtin-show.c +++ b/src/ostree/ot-builtin-show.c @@ -164,6 +164,7 @@ print_object (OstreeRepo *repo, flags |= OSTREE_DUMP_UNSWAPPED; ot_dump_object (objtype, checksum, variant, flags); +#ifndef OSTREE_DISABLE_GPGME if (objtype == OSTREE_OBJECT_TYPE_COMMIT) { g_autoptr(OstreeGpgVerifyResult) result = NULL; @@ -207,6 +208,7 @@ print_object (OstreeRepo *repo, g_print ("%s", buffer->str); } } +#endif /* OSTREE_DISABLE_GPGME */ return TRUE; } diff --git a/src/ostree/ot-builtin-summary.c b/src/ostree/ot-builtin-summary.c index c95c6df0..0f70f071 100644 --- a/src/ostree/ot-builtin-summary.c +++ b/src/ostree/ot-builtin-summary.c @@ -193,6 +193,7 @@ ostree_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invocati if (!ostree_repo_regenerate_summary (repo, additional_metadata, cancellable, error)) return FALSE; +#ifndef OSTREE_DISABLE_GPGME if (opt_key_ids) { if (!ostree_repo_add_gpg_signature_summary (repo, @@ -202,6 +203,7 @@ ostree_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invocati error)) return FALSE; } +#endif } else if (opt_view || opt_raw) { diff --git a/src/ostree/ot-builtins.h b/src/ostree/ot-builtins.h index 7a7d41bc..12a99b45 100644 --- a/src/ostree/ot-builtins.h +++ b/src/ostree/ot-builtins.h @@ -41,7 +41,9 @@ BUILTINPROTO(diff); BUILTINPROTO(export); BUILTINPROTO(find_remotes); BUILTINPROTO(create_usb); +#ifndef OSTREE_DISABLE_GPGME BUILTINPROTO(gpg_sign); +#endif BUILTINPROTO(init); BUILTINPROTO(log); BUILTINPROTO(pull); diff --git a/src/ostree/ot-main.c b/src/ostree/ot-main.c index a1449aef..c9c4f299 100644 --- a/src/ostree/ot-main.c +++ b/src/ostree/ot-main.c @@ -491,6 +491,7 @@ ostree_ensure_repo_writable (OstreeRepo *repo, return TRUE; } +#ifndef OSTREE_DISABLE_GPGME void ostree_print_gpg_verify_result (OstreeGpgVerifyResult *result) { @@ -511,6 +512,7 @@ ostree_print_gpg_verify_result (OstreeGpgVerifyResult *result) g_print ("%s", buffer->str); } +#endif /* OSTREE_DISABLE_GPGME */ gboolean ot_enable_tombstone_commits (OstreeRepo *repo, GError **error) diff --git a/src/ostree/ot-remote-builtin-add.c b/src/ostree/ot-remote-builtin-add.c index 2d021d77..cea0b274 100644 --- a/src/ostree/ot-remote-builtin-add.c +++ b/src/ostree/ot-remote-builtin-add.c @@ -133,10 +133,12 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio subkey, g_variant_new_variant (g_variant_new_string (subvalue))); } +#ifndef OSTREE_DISABLE_GPGME if (opt_no_gpg_verify) g_variant_builder_add (optbuilder, "{s@v}", "gpg-verify", g_variant_new_variant (g_variant_new_boolean (FALSE))); +#endif /* OSTREE_DISABLE_GPGME */ if (opt_collection_id != NULL) g_variant_builder_add (optbuilder, "{s@v}", "collection-id", @@ -157,6 +159,7 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio cancellable, error)) goto out; +#ifndef OSTREE_DISABLE_GPGME /* This is just a convenience option and is not as flexible as the full * "ostree remote gpg-import" command. It imports all keys from a file, * which is likely the most common case. @@ -183,6 +186,7 @@ ot_remote_builtin_add (int argc, char **argv, OstreeCommandInvocation *invocatio g_print ("Imported %u GPG key%s to remote \"%s\"\n", imported, (imported == 1) ? "" : "s", remote_name); } +#endif /* OSTREE_DISABLE_GPGME */ ret = TRUE; out: diff --git a/src/ostree/ot-remote-builtin-summary.c b/src/ostree/ot-remote-builtin-summary.c index bf50b9bc..bd4d026d 100644 --- a/src/ostree/ot-remote-builtin-summary.c +++ b/src/ostree/ot-remote-builtin-summary.c @@ -51,7 +51,9 @@ ot_remote_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invoc g_autoptr(GBytes) summary_bytes = NULL; g_autoptr(GBytes) signature_bytes = NULL; OstreeDumpFlags flags = OSTREE_DUMP_NONE; +#ifndef OSTREE_DISABLE_GPGME gboolean gpg_verify_summary; +#endif gboolean ret = FALSE; context = g_option_context_new ("NAME"); @@ -92,6 +94,7 @@ ot_remote_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invoc ot_dump_summary_bytes (summary_bytes, flags); +#ifndef OSTREE_DISABLE_GPGME if (!ostree_repo_remote_get_gpg_verify_summary (repo, remote_name, &gpg_verify_summary, error)) @@ -124,6 +127,7 @@ ot_remote_builtin_summary (int argc, char **argv, OstreeCommandInvocation *invoc g_print ("\n"); ostree_print_gpg_verify_result (result); } +#endif /* OSTREE_DISABLE_GPGME */ ret = TRUE; out: -- cgit v1.2.1