Add support for adding new gpg keys via signed summary

flatpak · May 9, 2017 · 21778f1 · 21778f1
1 parent 0bf1b31
commit 21778f1
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 9 deletions.
diff --git a/app/flatpak-builtins-repo-update.c b/app/flatpak-builtins-repo-update.c
@@ -31,9 +31,11 @@
 
 #include "flatpak-builtins.h"
 #include "flatpak-utils.h"
+#include "flatpak-builtins-utils.h"
 
 static char *opt_title;
 static char *opt_default_branch;
+static char **opt_gpg_import;
 static char *opt_generate_delta_from;
 static char *opt_generate_delta_to;
 static char *opt_generate_delta_ref;
@@ -46,6 +48,7 @@ static gint opt_prune_depth = -1;
 static GOptionEntry options[] = {
   { "title", 0, 0, G_OPTION_ARG_STRING, &opt_title, N_("A nice name to use for this repository"), N_("TITLE") },
   { "default-branch", 0, 0, G_OPTION_ARG_STRING, &opt_default_branch, N_("Default branch to use for this repository"), N_("BRANCH") },
+  { "gpg-import", 0, 0, G_OPTION_ARG_FILENAME_ARRAY, &opt_gpg_import, N_("Import new default GPG public key from FILE"), N_("FILE") },
   { "gpg-sign", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_gpg_key_ids, N_("GPG Key ID to sign the summary with"), N_("KEY-ID") },
   { "gpg-homedir", 0, 0, G_OPTION_ARG_STRING, &opt_gpg_homedir, N_("GPG Homedir to use when looking for keyrings"), N_("HOMEDIR") },
   { "generate-static-deltas", 0, 0, G_OPTION_ARG_NONE, &opt_generate_deltas, N_("Generate delta files"), NULL },
@@ -426,6 +429,16 @@ flatpak_builtin_build_update_repo (int argc, char **argv,
       !flatpak_repo_set_default_branch (repo, opt_default_branch, error))
     return FALSE;
 
+  if (opt_gpg_import)
+    {
+      g_autoptr(GBytes) gpg_data = flatpak_load_gpg_keys (opt_gpg_import, cancellable, error);
+      if (gpg_data == NULL)
+        return FALSE;
+
+      if (!flatpak_repo_set_gpg_keys (repo, gpg_data, error))
+        return FALSE;
+    }
+
   g_print (_("Updating appstream branch\n"));
   if (!flatpak_repo_generate_appstream (repo, (const char **) opt_gpg_key_ids, opt_gpg_homedir, 0, cancellable, error))
     return FALSE;

diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
@@ -7748,12 +7748,15 @@ flatpak_dir_update_remote_configuration_for_summary (FlatpakDir   *self,
      flatpak_repo_set_* () family of functions) */
   static const char *const supported_params[] = {
     "xa.title",
-    "xa.default-branch", NULL
+    "xa.default-branch",
+    "xa.gpg-keys",
+    NULL
   };
 
   g_autoptr(GVariant) extensions = NULL;
   g_autoptr(GPtrArray) updated_params = NULL;
   GVariantIter iter;
+  g_autoptr(GBytes) gpg_keys = NULL;
 
   updated_params = g_ptr_array_new_with_free_func (g_free);
 
@@ -7767,15 +7770,32 @@ flatpak_dir_update_remote_configuration_for_summary (FlatpakDir   *self,
 
       while (g_variant_iter_next (&iter, "{sv}", &key, &value_var))
         {
-          /* At the moment, every supported parameter are strings */
-          if (g_strv_contains (supported_params, key) &&
-              g_variant_get_type_string (value_var))
+          if (g_strv_contains (supported_params, key))
             {
-              const char *value = g_variant_get_string(value_var, NULL);
-              if (value != NULL && *value != 0)
+              if (strcmp (key, "xa.gpg-keys") == 0)
                 {
-                  g_ptr_array_add (updated_params, g_strdup (key));
-                  g_ptr_array_add (updated_params, g_strdup (value));
+                  if (g_variant_is_of_type (value_var, G_VARIANT_TYPE_BYTESTRING))
+                    {
+                      const guchar *gpg_data = g_variant_get_data (value_var);
+                      gsize gpg_size = g_variant_get_size (value_var);
+                      g_autofree gchar *gpg_data_checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, gpg_data, gpg_size);
+
+                      gpg_keys = g_bytes_new (gpg_data, gpg_size);
+
+                      /* We store the hash so that we can detect when things changed or not
+                         instead of re-importing the key over-and-over */
+                      g_ptr_array_add (updated_params, g_strdup ("xa.gpg-keys-hash"));
+                      g_ptr_array_add (updated_params, g_steal_pointer (&gpg_data_checksum));
+                    }
+                }
+              else if (g_variant_is_of_type (value_var, G_VARIANT_TYPE_STRING))
+                {
+                  const char *value = g_variant_get_string(value_var, NULL);
+                  if (value != NULL && *value != 0)
+                    {
+                      g_ptr_array_add (updated_params, g_strdup (key));
+                      g_ptr_array_add (updated_params, g_strdup (value));
+                    }
                 }
             }
 
@@ -7826,7 +7846,7 @@ flatpak_dir_update_remote_configuration_for_summary (FlatpakDir   *self,
       return TRUE;
 
     /* Update the local remote configuration with the updated info. */
-    if (!flatpak_dir_modify_remote (self, remote, config, NULL, cancellable, error))
+    if (!flatpak_dir_modify_remote (self, remote, config, gpg_keys, cancellable, error))
       return FALSE;
   }
 

diff --git a/common/flatpak-utils.c b/common/flatpak-utils.c
@@ -2587,6 +2587,25 @@ flatpak_repo_set_title (OstreeRepo *repo,
   return TRUE;
 }
 
+gboolean
+flatpak_repo_set_gpg_keys (OstreeRepo *repo,
+                           GBytes *bytes,
+                           GError    **error)
+{
+  g_autoptr(GKeyFile) config = NULL;
+  g_autofree char *value_base64 = NULL;
+
+  config = ostree_repo_copy_config (repo);
+
+  value_base64 = g_base64_encode (g_bytes_get_data (bytes, NULL), g_bytes_get_size (bytes));
+
+  g_key_file_set_string (config, "flatpak", "gpg-keys", value_base64);
+
+  if (!ostree_repo_write_config (repo, config, error))
+    return FALSE;
+
+  return TRUE;
+}
 
 gboolean
 flatpak_repo_set_default_branch (OstreeRepo *repo,
@@ -2831,6 +2850,7 @@ flatpak_repo_update (OstreeRepo   *repo,
   GKeyFile *config;
   g_autofree char *title = NULL;
   g_autofree char *default_branch = NULL;
+  g_autofree char *gpg_keys = NULL;
   g_autoptr(GVariant) old_summary = NULL;
   g_autoptr(GVariant) new_summary = NULL;
   g_autoptr(GHashTable) refs = NULL;
@@ -2848,6 +2868,7 @@ flatpak_repo_update (OstreeRepo   *repo,
     {
       title = g_key_file_get_string (config, "flatpak", "title", NULL);
       default_branch = g_key_file_get_string (config, "flatpak", "default-branch", NULL);
+      gpg_keys = g_key_file_get_string (config, "flatpak", "gpg-keys", NULL);
     }
 
   if (title)
@@ -2858,6 +2879,19 @@ flatpak_repo_update (OstreeRepo   *repo,
     g_variant_builder_add (&builder, "{sv}", "xa.default-branch",
                            g_variant_new_string (default_branch));
 
+  if (gpg_keys)
+    {
+      guchar *decoded;
+      gsize decoded_len;
+
+      gpg_keys = g_strstrip (gpg_keys);
+      decoded = g_base64_decode (gpg_keys, &decoded_len);
+
+      g_variant_builder_add (&builder, "{sv}", "xa.gpg-keys",
+                             g_variant_new_from_data (G_VARIANT_TYPE ("ay"), decoded, decoded_len,
+                                                      TRUE, (GDestroyNotify)g_free, decoded));
+    }
+
   g_variant_builder_init (&ref_data_builder, G_VARIANT_TYPE ("a{s(tts)}"));
 
   /* Only operate on flatpak relevant refs */

diff --git a/common/flatpak-utils.h b/common/flatpak-utils.h
@@ -288,6 +288,9 @@ gboolean flatpak_repo_set_title (OstreeRepo *repo,
 gboolean flatpak_repo_set_default_branch (OstreeRepo *repo,
                                           const char *branch,
                                           GError    **error);
+gboolean flatpak_repo_set_gpg_keys (OstreeRepo *repo,
+                                    GBytes *bytes,
+                                    GError    **error);
 gboolean flatpak_repo_update (OstreeRepo   *repo,
                               const char  **gpg_key_ids,
                               const char   *gpg_homedir,