Fix finding repo fingerprints when using rootdir support

Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate")
freebsd · Oct 19, 2021 · d04e611 · d04e611
1 parent af02823
commit d04e611
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 11 deletions.
diff --git a/libpkg/pkg_repo.c b/libpkg/pkg_repo.c
@@ -1046,7 +1046,13 @@ pkg_repo_load_fingerprints(struct pkg_repo *repo)
 	char path[MAXPATHLEN];
 	struct stat st;
 
-	snprintf(path, sizeof(path), "%s/trusted", pkg_repo_fingerprints(repo));
+	if (ctx.pkg_rootdir) {
+		snprintf(path, sizeof(path), "%s/%s/trusted", ctx.pkg_rootdir, pkg_repo_fingerprints(repo));
+	}
+	else {
+		snprintf(path, sizeof(path), "%s/trusted", pkg_repo_fingerprints(repo));
+	}
+
 	if ((pkg_repo_load_fingerprints_from_path(path, &repo->trusted_fp)) != EPKG_OK) {
 		pkg_emit_error("Error loading trusted certificates");
 		return (EPKG_FATAL);
@@ -1057,7 +1063,12 @@ pkg_repo_load_fingerprints(struct pkg_repo *repo)
 		return (EPKG_FATAL);
 	}
 
-	snprintf(path, sizeof(path), "%s/revoked", pkg_repo_fingerprints(repo));
+	if (ctx.pkg_rootdir) {
+		snprintf(path, sizeof(path), "%s/%s/revoked", ctx.pkg_rootdir, pkg_repo_fingerprints(repo));
+	}
+	else {
+		snprintf(path, sizeof(path), "%s/revoked", pkg_repo_fingerprints(repo));
+	}
 	/* Absence of revoked certificates is not a fatal error */
 	if (stat(path, &st) != -1) {
 		if ((pkg_repo_load_fingerprints_from_path(path, &repo->revoked_fp)) != EPKG_OK) {

diff --git a/tests/frontend/fingerprint.sh b/tests/frontend/fingerprint.sh
@@ -3,24 +3,26 @@
 . $(atf_get_srcdir)/test_environment.sh
 
 tests_init \
-	fingerprint
+	fingerprint \
+	fingerprint_rootdir
 
-fingerprint_body() {
+setup() {
+	local _root=$1
         atf_skip_on Darwin Test fails on Darwin
         atf_skip_on Linux Test fails on Linux
 
 	atf_check -o ignore -e ignore \
 		openssl genrsa -out repo.key 2048
 	rm -rf ${TMPDIR}/keys || :
-	mkdir -p keys/trusted
-	mkdir -p keys/revoked
+	mkdir -p ${_root}/keys/trusted
+	mkdir -p ${_root}/keys/revoked
 	chmod 0400 repo.key
 	atf_check -o ignore -e ignore \
 		openssl rsa -in repo.key -out repo.pub -pubout
-	echo "function: sha256" > keys/trusted/key
-	echo -n "fingerprint: " >> keys/trusted/key
-	openssl dgst -sha256 -hex repo.pub | sed 's/^.* //' >> keys/trusted/key
-	echo "" >> keys/trusted/key
+	echo "function: sha256" > ${_root}/keys/trusted/key
+	echo -n "fingerprint: " >> ${_root}/keys/trusted/key
+	openssl dgst -sha256 -hex repo.pub | sed 's/^.* //' >> ${_root}/keys/trusted/key
+	echo "" >> ${_root}/keys/trusted/key
 	mkdir fakerepo
 
 	cat >> sign.sh << EOF
@@ -47,12 +49,27 @@ local: {
 	url: file:///${TMPDIR}/fakerepo
 	enabled: true
 	signature_type: FINGERPRINTS
-	fingerprints: ${TMPDIR}/keys
+	fingerprints: keys
 }
 EOF
+}
+
+fingerprint_body() {
+	setup "${TMPDIR}/."
+
 	atf_check \
 		-o ignore \
 		-e match:".*extracting signature of repo.*" \
 		pkg -dd -o REPOS_DIR="${TMPDIR}" \
 		-o PKG_CACHEDIR="${TMPDIR}" update
 }
+
+fingerprint_rootdir_body() {
+	setup "${TMPDIR}/rootdir"
+
+	atf_check \
+		-o ignore \
+		-e match:".*extracting signature of repo.*" \
+		pkg -dd -o REPOS_DIR="${TMPDIR}" \
+		-o PKG_CACHEDIR="${TMPDIR}" -r "${TMPDIR}/rootdir" update
+}