marko10_000
/
flatpak-builder
forked from Mirrors/flatpak-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

common: Prevent pulling ostree-metadata unless gpg-verify is true 

Add a sanity check and error message which prevents pulling the
ostree-metadata ref (the repository metadata) unless GPG verification is
enabled, as it needs to be signed to be trusted.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
tingping/wmclass
Philip Withnall 2017-08-11 12:30:37 +01:00 committed by Alexander Larsson
parent 0bbf8f3d21
commit dd63bdbd61
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
common/flatpak-dir.c
View File

@ -8746,6 +8746,15 @@ flatpak_dir_fetch_remote_repo_metadata (FlatpakDir *self,
{
#ifdef FLATPAK_ENABLE_P2P
FlatpakPullFlags flatpak_flags;
gboolean gpg_verify;
/* We can only fetch metadata if were going to verify it with GPG. */
if (!ostree_repo_remote_get_gpg_verify (self->repo, remote_name,
&gpg_verify, error))
return FALSE;
if (!gpg_verify)
return flatpak_fail (error, "Can't pull from untrusted non-gpg verified remote");
flatpak_flags = FLATPAK_PULL_FLAGS_DOWNLOAD_EXTRA_DATA;
flatpak_flags |= FLATPAK_PULL_FLAGS_NO_STATIC_DELTAS;