forked from flatpak/flatpak
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dir: Check commit signatures before resolving a ref
Currently flatpak_dir_pull() has a phase where it tries to resolve a ref to a commit before doing the pull, which is good because it means we're pulling the same commit even if we do multiple subpath pulls, and it allows us to get set up for accurate progress reporting. On the P2P code path, this resolution is accomplished with an ostree_repo_find_remotes_async() call, and then checking the results from that. Normally that works fine, but in case a remote tries to maliciously serve an update to refs which didn't originate from it (by setting the same collection ID as the victim remote) things break. The find_remotes_async() will use the malicious remote's keyring for verification and return that commit as the most recent. This causes errors later during the pull phase. For example, if we're trying to update example-ref from good-remote, and good-remote is offering commit v1 and malicious-remote is offering commit v2, we resolve example-ref to commit v2. Then pulling that commit from malicious-remote using good-remote's keyring fails, and pulling commit v2 from good-remote fails because it doesn't exist there. So this commit changes flatpak_dir_pull() so that it pulls commit metadata before deciding on a commit. Since the pull code uses the "ref-keyring-map" option, the bad signatures will be found and the latest good commit will be returned. This requires a few changes: 1) Move the ostree_repo_prepare_transaction() call up to before the new pull, which also means using "goto out;" in a few more places. 2) Use OSTREE_REPO_PULL_FLAGS_MIRROR for the pull and ostree_repo_resolve_collection_ref() after the pull, conditional on checks for ostree v2019.2. That is more correct but we need the patch in this PR[1] for it to work. 3) Change repo_pull() so that it will accept results_to_fetch != NULL && rev_to_fetch == NULL. This means making a g_autofree version of rev_to_fetch and resolving it after the pull if necessary. This is all working toward the goal of getting the unit test in the following commit, test-p2p-security.sh, to succeed. [1] ostreedev/ostree#1821
- Loading branch information
Showing
1 changed file
with
92 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters