diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-01-15 16:45:29 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-01-19 18:29:59 +0100 |
commit | f14717a7e2d9331010a091baeae6cf9e99f4bb5c (patch) | |
tree | e47c6f43244cdd7d60439d253eb02e090ece2588 /src/import/pull-raw.c | |
parent | c20307fd347da5f2d6cfe7fad3ae64450ffec818 (diff) | |
download | systemd-f14717a7e2d9331010a091baeae6cf9e99f4bb5c.tar.gz |
import: rework how verification works
Previously the PullJob object took internal care of rerequested the
SHA256SUMS file, if requesting <image>.sha256 didn't work. This was a
weird a non-abstraction only used when actually getting the checksum
files.
Let's move this out of the PullJob, so that it is generic again, and
does roughly the same stuff for all resources it is used for: let's
define a generic .on_not_found() handler that can be set on a PullJob
object, and is called whenever with see HTTP 404, and may be used to
provide a new URL to try if the first didn't work.
This is also preparation for later work to support PKCS#7 signatures
instead of gpg signatures, where a similar logic is needed, and we thus
should have a generic infrastructure place.
This gets rid of the VerificationStyle field in the PullJob object:
instead of storing this non-generic field we just derive the same
information from the URL itself, which is safe, since we generated it
ourselves earlier.
Diffstat (limited to 'src/import/pull-raw.c')
-rw-r--r-- | src/import/pull-raw.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/src/import/pull-raw.c b/src/import/pull-raw.c index 4a2bab3d07..69b3c307f6 100644 --- a/src/import/pull-raw.c +++ b/src/import/pull-raw.c @@ -473,11 +473,23 @@ static void raw_pull_job_on_finished(PullJob *j) { if (!raw_pull_is_done(i)) return; - if (i->signature_job && i->checksum_job->style == VERIFICATION_PER_DIRECTORY && i->signature_job->error != 0) { - log_error_errno(j->error, "Failed to retrieve signature file, cannot verify. (Try --verify=no?)"); + if (i->signature_job && i->signature_job->error != 0) { + VerificationStyle style; - r = i->signature_job->error; - goto finish; + r = verification_style_from_url(i->checksum_job->url, &style); + if (r < 0) { + log_error_errno(r, "Failed to determine verification style from checksum URL: %m"); + goto finish; + } + + if (style == VERIFICATION_PER_DIRECTORY) { /* A failed signature file download only matters + * in per-directory verification mode, since only + * then the signature is detached, and thus a file + * of its own. */ + log_error_errno(j->error, "Failed to retrieve signature file, cannot verify. (Try --verify=no?)"); + r = i->signature_job->error; + goto finish; + } } if (i->roothash_job) @@ -722,7 +734,7 @@ int raw_pull_start( if (i->checksum_job) { i->checksum_job->on_progress = raw_pull_job_on_progress; - i->checksum_job->style = VERIFICATION_PER_FILE; + i->checksum_job->on_not_found = pull_job_restart_with_sha256sum; r = pull_job_begin(i->checksum_job); if (r < 0) |