forked from Mirrors/flatpak-builder
common: Prevent pulling ostree-metadata unless gpg-verify is true
Add a sanity check and error message which prevents pulling the ostree-metadata ref (the repository metadata) unless GPG verification is enabled, as it needs to be signed to be trusted. Signed-off-by: Philip Withnall <withnall@endlessm.com>tingping/wmclass
parent
0bbf8f3d21
commit
dd63bdbd61
|
@ -8746,6 +8746,15 @@ flatpak_dir_fetch_remote_repo_metadata (FlatpakDir *self,
|
||||||
{
|
{
|
||||||
#ifdef FLATPAK_ENABLE_P2P
|
#ifdef FLATPAK_ENABLE_P2P
|
||||||
FlatpakPullFlags flatpak_flags;
|
FlatpakPullFlags flatpak_flags;
|
||||||
|
gboolean gpg_verify;
|
||||||
|
|
||||||
|
/* We can only fetch metadata if we’re going to verify it with GPG. */
|
||||||
|
if (!ostree_repo_remote_get_gpg_verify (self->repo, remote_name,
|
||||||
|
&gpg_verify, error))
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
if (!gpg_verify)
|
||||||
|
return flatpak_fail (error, "Can't pull from untrusted non-gpg verified remote");
|
||||||
|
|
||||||
flatpak_flags = FLATPAK_PULL_FLAGS_DOWNLOAD_EXTRA_DATA;
|
flatpak_flags = FLATPAK_PULL_FLAGS_DOWNLOAD_EXTRA_DATA;
|
||||||
flatpak_flags |= FLATPAK_PULL_FLAGS_NO_STATIC_DELTAS;
|
flatpak_flags |= FLATPAK_PULL_FLAGS_NO_STATIC_DELTAS;
|
||||||
|
|
Loading…
Reference in New Issue