marko10_000
/
flatpak-builder
forked from Mirrors/flatpak-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

OCI: Fix signature checks on updates 

We can't support updating to a specified digest, we must
always look in the index so that we can find the signature.
tingping/wmclass
Alexander Larsson 2017-03-29 18:04:13 +02:00
parent 5b0ad227e8
commit 7a6a109720
1 changed files with 14 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
common/flatpak-dir.c
View File

@ -2194,7 +2194,6 @@ static gboolean
flatpak_dir_pull_oci (FlatpakDir *self, flatpak_dir_pull_oci (FlatpakDir *self,
const char *remote, const char *remote,
const char *ref, const char *ref,
const char *opt_rev,
OstreeRepo *repo, OstreeRepo *repo,
FlatpakPullFlags flatpak_flags, FlatpakPullFlags flatpak_flags,
OstreeRepoPullFlags flags, OstreeRepoPullFlags flags,
@ -2213,36 +2212,31 @@ flatpak_dir_pull_oci (FlatpakDir *self,
g_autoptr(GVariant) summary_element = NULL; g_autoptr(GVariant) summary_element = NULL;
g_autofree char *signature_digest = NULL; g_autofree char *signature_digest = NULL;
g_autofree char *latest_alt_commit = NULL; g_autofree char *latest_alt_commit = NULL;
g_autoptr(GVariant) metadata = NULL;
g_autofree char *latest_rev = NULL;
g_autofree char *latest_commit = flatpak_dir_read_latest (self, remote, ref, g_autofree char *latest_commit = flatpak_dir_read_latest (self, remote, ref,
&latest_alt_commit, &latest_alt_commit,
cancellable, NULL); cancellable, NULL);
/* This doesn't support specifying a specific digest, because that can't work
with OCI signatures. We need to get that from the index */
if (!ostree_repo_remote_get_url (self->repo, if (!ostree_repo_remote_get_url (self->repo,
remote, remote,
&oci_uri, &oci_uri,
error)) error))
return FALSE; return FALSE;
if (opt_rev != NULL) /* We use the summary so that we can reuse any cached json */
{ latest_rev =
oci_digest = g_strconcat ("sha256:", opt_rev, NULL); flatpak_dir_lookup_ref_from_summary (self, remote, ref, &summary_element,
} cancellable, error);
else if (latest_rev == NULL)
{ return FALSE;
g_autoptr(GVariant) metadata = NULL;
/* We use the summary so that we can reuse any cached json */
g_autofree char *latest_rev =
flatpak_dir_lookup_ref_from_summary (self, remote, ref, &summary_element,
cancellable, error);
if (latest_rev == NULL)
return FALSE;
metadata = g_variant_get_child_value (summary_element, 2); metadata = g_variant_get_child_value (summary_element, 2);
g_variant_lookup (metadata, "xa.oci-signature", "s", &signature_digest);
g_variant_lookup (metadata, "xa.oci-signature", "s", &signature_digest); oci_digest = g_strconcat ("sha256:", latest_rev, NULL);
oci_digest = g_strconcat ("sha256:", latest_rev, NULL);
}
/* Short circuit if we've already got this commit */ /* Short circuit if we've already got this commit */
if (latest_alt_commit != NULL && strcmp (oci_digest + strlen ("sha256:"), latest_alt_commit) == 0) if (latest_alt_commit != NULL && strcmp (oci_digest + strlen ("sha256:"), latest_alt_commit) == 0)
@ -2323,7 +2317,7 @@ flatpak_dir_pull (FlatpakDir *self,
return FALSE; return FALSE;
if (flatpak_dir_get_remote_oci (self, repository)) if (flatpak_dir_get_remote_oci (self, repository))
return flatpak_dir_pull_oci (self, repository, ref, opt_rev, repo, flatpak_flags, return flatpak_dir_pull_oci (self, repository, ref, repo, flatpak_flags,
flags, progress, cancellable, error); flags, progress, cancellable, error);
if (!ostree_repo_remote_get_url (self->repo, if (!ostree_repo_remote_get_url (self->repo,