Pass keyring, not the full ts to lowlevel signature routines

- lazy loading of default keyring on ts iteration works nicely for
  everything but package signature verification which doesn't access the
  db now that the keys are not in the db anymore
- make rpmtsSetKeyring(NULL) load the default keyring, a bit ugly but
  it'll have to do for now

diff --git a/lib/package.c b/lib/package.c
index 022d939..1ae3763 100644 (file)
--- a/lib/package.c
+++ b/lib/package.c
@@ -485,7 +485,10 @@ verifyinfo_exit:
        break;
     }
 
-    rc = rpmVerifySignature(ts, &sigtd, dig, &buf);
+    {  
+       rpmKeyring keyring = rpmtsGetKeyring(ts);
+       rc = rpmVerifySignature(keyring, &sigtd, dig, &buf);
+    }
 
     if (msg) 
        *msg = buf;
@@ -807,7 +810,11 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
 
 /** @todo Implement disable/enable/warn/error/anal policy. */
 
-    rc = rpmVerifySignature(ts, &sigtd, dig, &msg);
+    {  
+       rpmKeyring keyring = rpmtsGetKeyring(ts);
+       rc = rpmVerifySignature(keyring, &sigtd, dig, &msg);
+    }
+       
     switch (rc) {
     case RPMRC_OK:             /* Signature is OK. */
        rpmlog(RPMLOG_DEBUG, "%s: %s", fn, msg);

diff --git a/lib/rpmchecksig.c b/lib/rpmchecksig.c
index ff0378b..048a8eb 100644 (file)
--- a/lib/rpmchecksig.c
+++ b/lib/rpmchecksig.c
@@ -568,6 +568,7 @@ int rpmVerifySignatures(QVA_t qva, rpmts ts, FD_t fd,
     int failed;
     int nodigests = !(qva->qva_flags & VERIFY_DIGEST);
     int nosignatures = !(qva->qva_flags & VERIFY_SIGNATURE);
+    rpmKeyring keyring = rpmtsGetKeyring(ts);
 
     {
        rpmlead lead = rpmLeadNew();
@@ -712,7 +713,7 @@ int rpmVerifySignatures(QVA_t qva, rpmts ts, FD_t fd,
                break;
            }
 
-           sigres = rpmVerifySignature(ts, &sigtd, dig, &result);
+           sigres = rpmVerifySignature(keyring, &sigtd, dig, &result);
            if (sigres != RPMRC_OK) {
                failed = 1;
            }
@@ -793,6 +794,9 @@ int rpmcliSign(rpmts ts, QVA_t qva, ARGV_const_t argv)
 
     if (argv == NULL) return res;
 
+    /* load default keyring */
+    rpmtsSetKeyring(ts, NULL);
+
     switch (qva->qva_mode) {
     case RPMSIGN_CHK_SIGNATURE:
        break;

diff --git a/lib/rpmlib.h b/lib/rpmlib.h
index 52d8d34..cf94358 100644 (file)
--- a/lib/rpmlib.h
+++ b/lib/rpmlib.h
@@ -240,7 +240,7 @@ int rpmGetFilesystemUsage(const char ** fileList, rpm_loff_t * fssizes,
  *                     (malloc'd)
  * @return             result of signature verification
  */
-rpmRC rpmVerifySignature(const rpmts ts, rpmtd sigtd, pgpDig dig, char ** result);
+rpmRC rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, char ** result);
 
 /** \ingroup signature
  * Destroy signature header from package.

diff --git a/lib/rpmts.c b/lib/rpmts.c
index 6df6acd..25eadc2 100644 (file)
--- a/lib/rpmts.c
+++ b/lib/rpmts.c
@@ -45,6 +45,8 @@
 
 #include "debug.h"
 
+static void loadKeyring(rpmts ts);
+
 int _rpmts_debug = 0;
 
 int _rpmts_stats = 0;
@@ -187,6 +189,9 @@ rpmdbMatchIterator rpmtsInitIterator(const rpmts ts, rpmTag rpmtag,
     char *tmp = NULL;
     int xx;
 
+    if (ts->keyring == NULL)
+       loadKeyring(ts);
+
     if (ts->rdb == NULL && rpmtsOpenDB(ts, ts->dbmode))
        return NULL;
 
@@ -278,11 +283,15 @@ int rpmtsSetKeyring(rpmts ts, rpmKeyring keyring)
        return -1;
 
     rpmKeyringFree(ts->keyring);
-    ts->keyring = keyring;
+    if (keyring != NULL) {
+       ts->keyring = keyring;
+    } else {
+       loadKeyring(ts);
+    }
     return 0;
 }
 
-#ifdef USE_SEPARATE_KEYRING
+#ifndef USE_SEPARATE_KEYRING
 static void loadKeyring(rpmts ts)
 {
     ARGV_t files = NULL;

diff --git a/lib/signature.c b/lib/signature.c
index 65626f3..205a024 100644 (file)
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -17,6 +17,7 @@
 #include <rpm/rpmts.h>
 
 #include "rpmio/digest.h"
+#include "rpmio/rpmkeyring.h"
 #include "lib/rpmlead.h"
 #include "lib/signature.h"
 #include "lib/header_internal.h"
@@ -1001,7 +1002,7 @@ static const char * rpmSigString(rpmRC res)
 }
 
 static rpmRC
-verifySizeSignature(const rpmts ts, rpmtd sigtd, pgpDig dig, char ** msg)
+verifySizeSignature(rpmtd sigtd, pgpDig dig, char ** msg)
 {
     rpmRC res;
     size_t size = 0x7fffffff;
@@ -1032,8 +1033,7 @@ exit:
 }
 
 static rpmRC
-verifyMD5Signature(const rpmts ts, rpmtd sigtd, pgpDig dig, char ** msg,
-               DIGEST_CTX md5ctx)
+verifyMD5Signature(rpmtd sigtd, pgpDig dig, char ** msg, DIGEST_CTX md5ctx)
 {
     rpmRC res;
     uint8_t * md5sum = NULL;
@@ -1073,14 +1073,12 @@ exit:
 
 /**
  * Verify header immutable region SHA1 digest.
- * @param ts           transaction set
  * @retval msg         verbose success/failure text
  * @param sha1ctx
  * @return             RPMRC_OK on success
  */
 static rpmRC
-verifySHA1Signature(const rpmts ts, rpmtd sigtd, pgpDig dig, char ** msg,
-               DIGEST_CTX sha1ctx)
+verifySHA1Signature(rpmtd sigtd, pgpDig dig, char ** msg, DIGEST_CTX sha1ctx)
 {
     rpmRC res;
     char * SHA1 = NULL;
@@ -1115,13 +1113,13 @@ exit:
 
 /**
  * Verify RSA signature.
- * @param ts           transaction set
+ * @param keyring      pubkey keyring
  * @retval msg         rbose success/failure text
  * @param md5ctx
  * @return             RPMRC_OK on success
  */
 static rpmRC
-verifyRSASignature(rpmts ts, rpmtd sigtd, pgpDig dig, char ** msg,
+verifyRSASignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, char ** msg,
                DIGEST_CTX md5ctx)
 {
     pgpDigParams sigp = dig ? &dig->signature : NULL;
@@ -1226,7 +1224,7 @@ verifyRSASignature(rpmts ts, rpmtd sigtd, pgpDig dig, char ** msg,
     }
 
     /* Retrieve the matching public key. */
-    res = rpmtsFindPubkey(ts, dig);
+    res = rpmKeyringLookup(keyring, dig);
     if (res != RPMRC_OK)
        goto exit;
 
@@ -1250,13 +1248,13 @@ exit:
 
 /**
  * Verify DSA signature.
- * @param ts           transaction set
+ * @param keyring      pubkey keyring
  * @retval t           verbose success/failure text
  * @param sha1ctx
  * @return             RPMRC_OK on success
  */
 static rpmRC
-verifyDSASignature(rpmts ts, rpmtd sigtd, pgpDig dig, char ** msg,
+verifyDSASignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, char ** msg,
                DIGEST_CTX sha1ctx)
 {
     pgpDigParams sigp = dig ? &dig->signature : NULL;
@@ -1315,7 +1313,7 @@ verifyDSASignature(rpmts ts, rpmtd sigtd, pgpDig dig, char ** msg,
     }
 
     /* Retrieve the matching public key. */
-    res = rpmtsFindPubkey(ts, dig);
+    res = rpmKeyringLookup(keyring, dig);
     if (res != RPMRC_OK)
        goto exit;
 
@@ -1339,7 +1337,7 @@ exit:
 }
 
 rpmRC
-rpmVerifySignature(const rpmts ts, rpmtd sigtd, pgpDig dig, char ** result)
+rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDig dig, char ** result)
 {
     rpmRC res;
     
@@ -1352,28 +1350,28 @@ rpmVerifySignature(const rpmts ts, rpmtd sigtd, pgpDig dig, char ** result)
 
     switch (sigtd->tag) {
     case RPMSIGTAG_SIZE:
-       res = verifySizeSignature(ts, sigtd, dig, result);
+       res = verifySizeSignature(sigtd, dig, result);
        break;
     case RPMSIGTAG_MD5:
-       res = verifyMD5Signature(ts, sigtd, dig, result, dig->md5ctx);
+       res = verifyMD5Signature(sigtd, dig, result, dig->md5ctx);
        break;
     case RPMSIGTAG_SHA1:
-       res = verifySHA1Signature(ts, sigtd, dig, result, dig->hdrsha1ctx);
+       res = verifySHA1Signature(sigtd, dig, result, dig->hdrsha1ctx);
        break;
     case RPMSIGTAG_RSA:
-       res = verifyRSASignature(ts, sigtd, dig, result, dig->hdrmd5ctx);
+       res = verifyRSASignature(keyring, sigtd, dig, result, dig->hdrmd5ctx);
        break;
     case RPMSIGTAG_PGP5:       /* XXX legacy */
     case RPMSIGTAG_PGP:
-       res = verifyRSASignature(ts, sigtd, dig, result,
+       res = verifyRSASignature(keyring, sigtd, dig, result,
                ((dig->signature.hash_algo == PGPHASHALGO_MD5)
                        ? dig->md5ctx : dig->sha1ctx));
        break;
     case RPMSIGTAG_DSA:
-       res = verifyDSASignature(ts, sigtd, dig, result, dig->hdrsha1ctx);
+       res = verifyDSASignature(keyring, sigtd, dig, result, dig->hdrsha1ctx);
        break;
     case RPMSIGTAG_GPG:
-       res = verifyDSASignature(ts, sigtd, dig, result, dig->sha1ctx);
+       res = verifyDSASignature(keyring, sigtd, dig, result, dig->sha1ctx);
        break;
     case RPMSIGTAG_LEMD5_1:
     case RPMSIGTAG_LEMD5_2: