From dd63bdbd610b8bec836f4ae4cea98199ba26bdfb Mon Sep 17 00:00:00 2001
From: Philip Withnall <withnall@endlessm.com>
Date: Fri, 11 Aug 2017 12:30:37 +0100
Subject: [PATCH] common: Prevent pulling ostree-metadata unless gpg-verify is
 true

Add a sanity check and error message which prevents pulling the
ostree-metadata ref (the repository metadata) unless GPG verification is
enabled, as it needs to be signed to be trusted.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
---
 common/flatpak-dir.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 90b00a6d..89e00858 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -8746,6 +8746,15 @@ flatpak_dir_fetch_remote_repo_metadata (FlatpakDir    *self,
 {
 #ifdef FLATPAK_ENABLE_P2P
   FlatpakPullFlags flatpak_flags;
+  gboolean gpg_verify;
+
+  /* We can only fetch metadata if we’re going to verify it with GPG. */
+  if (!ostree_repo_remote_get_gpg_verify (self->repo, remote_name,
+                                          &gpg_verify, error))
+    return FALSE;
+
+  if (!gpg_verify)
+    return flatpak_fail (error, "Can't pull from untrusted non-gpg verified remote");
 
   flatpak_flags = FLATPAK_PULL_FLAGS_DOWNLOAD_EXTRA_DATA;
   flatpak_flags |= FLATPAK_PULL_FLAGS_NO_STATIC_DELTAS;