From 70cabcea0a120715a07664b7376d9190f6404fa6 Mon Sep 17 00:00:00 2001 From: Matthew Barnes Date: Mon, 2 Mar 2015 11:16:16 -0500 Subject: gpg: Rewrite OstreeGpgVerifier to use GPGME This sets the stage for more advanced signature management. (Also, talking to GPG over pipes sucks.) Previously we were spawning gpgv2 with a bunch of --keyring options for /usr/share/ostree/trusted.gpg.d/ and whatever other keyring files were explicitly added. GPGME has no public API for multiple keyrings, so we work around the issue by setting up a temp directory to serve as a fake "home" directory for the crypto engine and then concatenate all the keyring files into a single public keyring (pubring.gpg). Unfortunately at present we do this on every signature verification. There's a desire to cache this concatenation, but the problem is the user may be unprivileged. So it seems the cache would have to be per user under $XDG_CACHE_HOME, which OSTree doesn't otherwise use. I'm open to suggestions. We do at least clean up the temp directory when finished, and I have further API changes planned to OstreeGpgVerifier to help mitigate the performance impact. --- Makefile-libostree.am | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'Makefile-libostree.am') diff --git a/Makefile-libostree.am b/Makefile-libostree.am index 7a1b64e1..ecab57b9 100644 --- a/Makefile-libostree.am +++ b/Makefile-libostree.am @@ -89,8 +89,6 @@ libostree_1_la_SOURCES = \ src/libostree/ostree-bootloader-syslinux.c \ src/libostree/ostree-bootloader-uboot.h \ src/libostree/ostree-bootloader-uboot.c \ - src/libostree/ostree-gpg-verifier.c \ - src/libostree/ostree-gpg-verifier.h \ src/libostree/ostree-repo-static-delta-core.c \ src/libostree/ostree-repo-static-delta-processing.c \ src/libostree/ostree-repo-static-delta-compilation.c \ @@ -108,6 +106,12 @@ libostree_1_la_SOURCES += \ src/libostree/ostree-tls-cert-interaction.h \ $(NULL) endif +if USE_GPGME +libostree_1_la_SOURCES += \ + src/libostree/ostree-gpg-verifier.c \ + src/libostree/ostree-gpg-verifier.h \ + $(NULL) +endif libostree_1_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/bsdiff -I$(srcdir)/libglnx -I$(srcdir)/src/libotutil -I$(srcdir)/src/libostree \ $(OT_INTERNAL_GIO_UNIX_CFLAGS) $(OT_DEP_LZMA_CFLAGS) $(OT_DEP_ZLIB_CFLAGS) -- cgit v1.2.1