static gboolean
decompress_all (GConverter *converter,
GBytes *data,
GBytes **out_uncompressed,
GCancellable *cancellable,
GError **error)
{
gboolean ret = FALSE;
g_autoptr(GMemoryInputStream) memin = (GMemoryInputStream*)g_memory_input_stream_new_from_bytes (data);
g_autoptr(GMemoryOutputStream) memout = (GMemoryOutputStream*)g_memory_output_stream_new (NULL, 0, g_realloc, g_free);
g_autoptr(GInputStream) convin = g_converter_input_stream_new ((GInputStream*)memin, converter);
{
gssize n_bytes_written = g_output_stream_splice ((GOutputStream*)memout, convin,
G_OUTPUT_STREAM_SPLICE_CLOSE_SOURCE |
G_OUTPUT_STREAM_SPLICE_CLOSE_TARGET,
cancellable, error);
if (n_bytes_written < 0)
goto out;
}
ret = TRUE;
*out_uncompressed = g_memory_output_stream_steal_as_bytes (memout);
out:
return ret;
}
static gboolean
load_snap_icon (GsApp *app, SnapdClient *client, SnapdSnap *snap, GCancellable *cancellable)
{
const gchar *icon_url;
g_autoptr(SnapdIcon) icon = NULL;
g_autoptr(GInputStream) input_stream = NULL;
g_autoptr(GdkPixbuf) pixbuf = NULL;
g_autoptr(GError) error = NULL;
icon_url = snapd_snap_get_icon (snap);
if (icon_url == NULL || strcmp (icon_url, "") == 0)
return FALSE;
icon = snapd_client_get_icon_sync (client, gs_app_get_metadata_item (app, "snap::name"), cancellable, &error);
if (icon == NULL) {
g_warning ("Failed to load snap icon: %s", error->message);
return FALSE;
}
input_stream = g_memory_input_stream_new_from_bytes (snapd_icon_get_data (icon));
pixbuf = gdk_pixbuf_new_from_stream_at_scale (input_stream, 64, 64, TRUE, cancellable, &error);
if (pixbuf == NULL) {
g_warning ("Failed to decode snap icon %s: %s", icon_url, error->message);
return FALSE;
}
gs_app_set_pixbuf (app, pixbuf);
return TRUE;
}
static gboolean
gtk_css_image_url_parse (GtkCssImage *image,
GtkCssParser *parser)
{
GtkCssImageUrl *self = GTK_CSS_IMAGE_URL (image);
char *url, *scheme;
url = gtk_css_parser_consume_url (parser);
if (url == NULL)
return FALSE;
scheme = g_uri_parse_scheme (url);
if (scheme && g_ascii_strcasecmp (scheme, "data") == 0)
{
GInputStream *stream;
GdkPixbuf *pixbuf;
GBytes *bytes;
GError *error = NULL;
bytes = gtk_css_data_url_parse (url, NULL, &error);
if (bytes)
{
stream = g_memory_input_stream_new_from_bytes (bytes);
pixbuf = gdk_pixbuf_new_from_stream (stream, NULL, &error);
g_object_unref (stream);
if (pixbuf == NULL)
{
gtk_css_parser_emit_error (parser,
gtk_css_parser_get_start_location (parser),
gtk_css_parser_get_end_location (parser),
error);
g_clear_error (&error);
}
else
{
GdkTexture *texture = gdk_texture_new_for_pixbuf (pixbuf);
self->loaded_image = gtk_css_image_paintable_new (GDK_PAINTABLE (texture), GDK_PAINTABLE (texture));
g_object_unref (texture);
g_object_unref (pixbuf);
}
}
}
else
{
self->file = gtk_css_parser_resolve_url (parser, url);
}
g_free (url);
g_free (scheme);
return TRUE;
}
static GInputStream *
gdk_pixbuf_load (GLoadableIcon *icon,
int size,
char **type,
GCancellable *cancellable,
GError **error)
{
GInputStream *stream;
GBytes *bytes;
bytes = gdk_pixbuf_make_bytes (GDK_PIXBUF (icon), error);
if (!bytes)
return NULL;
stream = g_memory_input_stream_new_from_bytes (bytes);
g_bytes_unref (bytes);
if (type)
*type = g_strdup ("image/png");
return stream;
}
/**
* ostree_repo_static_delta_execute_offline:
* @self: Repo
* @dir_or_file: Path to a directory containing static delta data, or directly to the superblock
* @skip_validation: If %TRUE, assume data integrity
* @cancellable: Cancellable
* @error: Error
*
* Given a directory representing an already-downloaded static delta
* on disk, apply it, generating a new commit. The directory must be
* named with the form "FROM-TO", where both are checksums, and it
* must contain a file named "superblock", along with at least one part.
*/
gboolean
ostree_repo_static_delta_execute_offline (OstreeRepo *self,
GFile *dir_or_file,
gboolean skip_validation,
GCancellable *cancellable,
GError **error)
{
gboolean ret = FALSE;
guint i, n;
const char *dir_or_file_path = NULL;
glnx_fd_close int meta_fd = -1;
glnx_fd_close int dfd = -1;
g_autoptr(GVariant) meta = NULL;
g_autoptr(GVariant) headers = NULL;
g_autoptr(GVariant) metadata = NULL;
g_autoptr(GVariant) fallback = NULL;
g_autofree char *to_checksum = NULL;
g_autofree char *from_checksum = NULL;
g_autofree char *basename = NULL;
dir_or_file_path = gs_file_get_path_cached (dir_or_file);
/* First, try opening it as a directory */
dfd = glnx_opendirat_with_errno (AT_FDCWD, dir_or_file_path, TRUE);
if (dfd < 0)
{
if (errno != ENOTDIR)
{
glnx_set_error_from_errno (error);
goto out;
}
else
{
g_autofree char *dir = dirname (g_strdup (dir_or_file_path));
basename = g_path_get_basename (dir_or_file_path);
if (!glnx_opendirat (AT_FDCWD, dir, TRUE, &dfd, error))
goto out;
}
}
else
basename = g_strdup ("superblock");
meta_fd = openat (dfd, basename, O_RDONLY | O_CLOEXEC);
if (meta_fd < 0)
{
glnx_set_error_from_errno (error);
goto out;
}
if (!ot_util_variant_map_fd (meta_fd, 0, G_VARIANT_TYPE (OSTREE_STATIC_DELTA_SUPERBLOCK_FORMAT),
FALSE, &meta, error))
goto out;
/* Parsing OSTREE_STATIC_DELTA_SUPERBLOCK_FORMAT */
metadata = g_variant_get_child_value (meta, 0);
/* Write the to-commit object */
{
g_autoptr(GVariant) to_csum_v = NULL;
g_autoptr(GVariant) from_csum_v = NULL;
g_autoptr(GVariant) to_commit = NULL;
gboolean have_to_commit;
gboolean have_from_commit;
to_csum_v = g_variant_get_child_value (meta, 3);
if (!ostree_validate_structureof_csum_v (to_csum_v, error))
goto out;
to_checksum = ostree_checksum_from_bytes_v (to_csum_v);
from_csum_v = g_variant_get_child_value (meta, 2);
if (g_variant_n_children (from_csum_v) > 0)
{
if (!ostree_validate_structureof_csum_v (from_csum_v, error))
goto out;
from_checksum = ostree_checksum_from_bytes_v (from_csum_v);
if (!ostree_repo_has_object (self, OSTREE_OBJECT_TYPE_COMMIT, from_checksum,
&have_from_commit, cancellable, error))
goto out;
if (!have_from_commit)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"Commit %s, which is the delta source, is not in repository", from_checksum);
goto out;
}
}
if (!ostree_repo_has_object (self, OSTREE_OBJECT_TYPE_COMMIT, to_checksum,
&have_to_commit, cancellable, error))
goto out;
if (!have_to_commit)
{
g_autofree char *detached_path = _ostree_get_relative_static_delta_path (from_checksum, to_checksum, "commitmeta");
g_autoptr(GVariant) detached_data = NULL;
detached_data = g_variant_lookup_value (metadata, detached_path, G_VARIANT_TYPE("a{sv}"));
if (detached_data && !ostree_repo_write_commit_detached_metadata (self,
to_checksum,
detached_data,
cancellable,
error))
goto out;
to_commit = g_variant_get_child_value (meta, 4);
if (!ostree_repo_write_metadata (self, OSTREE_OBJECT_TYPE_COMMIT,
to_checksum, to_commit, NULL,
cancellable, error))
goto out;
}
}
fallback = g_variant_get_child_value (meta, 7);
if (g_variant_n_children (fallback) > 0)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"Cannot execute delta offline: contains nonempty http fallback entries");
goto out;
}
headers = g_variant_get_child_value (meta, 6);
n = g_variant_n_children (headers);
for (i = 0; i < n; i++)
{
guint32 version;
guint64 size;
guint64 usize;
const guchar *csum;
char checksum[OSTREE_SHA256_STRING_LEN+1];
gboolean have_all;
g_autoptr(GInputStream) part_in = NULL;
g_autoptr(GVariant) inline_part_data = NULL;
g_autoptr(GVariant) header = NULL;
g_autoptr(GVariant) csum_v = NULL;
g_autoptr(GVariant) objects = NULL;
g_autoptr(GVariant) part = NULL;
g_autofree char *deltapart_path = NULL;
OstreeStaticDeltaOpenFlags delta_open_flags =
skip_validation ? OSTREE_STATIC_DELTA_OPEN_FLAGS_SKIP_CHECKSUM : 0;
header = g_variant_get_child_value (headers, i);
g_variant_get (header, "(u@aytt@ay)", &version, &csum_v, &size, &usize, &objects);
if (version > OSTREE_DELTAPART_VERSION)
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"Delta part has too new version %u", version);
goto out;
}
if (!_ostree_repo_static_delta_part_have_all_objects (self, objects, &have_all,
cancellable, error))
goto out;
/* If we already have these objects, don't bother executing the
* static delta.
*/
if (have_all)
continue;
csum = ostree_checksum_bytes_peek_validate (csum_v, error);
if (!csum)
goto out;
ostree_checksum_inplace_from_bytes (csum, checksum);
deltapart_path =
_ostree_get_relative_static_delta_part_path (from_checksum, to_checksum, i);
inline_part_data = g_variant_lookup_value (metadata, deltapart_path, G_VARIANT_TYPE("(yay)"));
if (inline_part_data)
{
g_autoptr(GBytes) inline_part_bytes = g_variant_get_data_as_bytes (inline_part_data);
part_in = g_memory_input_stream_new_from_bytes (inline_part_bytes);
/* For inline parts, we don't checksum, because it's
* included with the metadata, so we're not trying to
* protect against MITM or such. Non-security related
* checksums should be done at the underlying storage layer.
*/
delta_open_flags |= OSTREE_STATIC_DELTA_OPEN_FLAGS_SKIP_CHECKSUM;
if (!_ostree_static_delta_part_open (part_in, inline_part_bytes,
delta_open_flags,
NULL,
&part,
cancellable, error))
goto out;
}
else
{
g_autofree char *relpath = g_strdup_printf ("%u", i); /* TODO avoid malloc here */
glnx_fd_close int part_fd = openat (dfd, relpath, O_RDONLY | O_CLOEXEC);
if (part_fd < 0)
{
glnx_set_error_from_errno (error);
g_prefix_error (error, "Opening deltapart '%s': ", deltapart_path);
goto out;
}
part_in = g_unix_input_stream_new (part_fd, FALSE);
if (!_ostree_static_delta_part_open (part_in, NULL,
delta_open_flags,
checksum,
&part,
cancellable, error))
goto out;
}
if (!_ostree_static_delta_part_execute (self, objects, part, skip_validation,
NULL, cancellable, error))
{
g_prefix_error (error, "Executing delta part %i: ", i);
goto out;
}
}
ret = TRUE;
out:
return ret;
}
gboolean
rpmostree_compose_builtin_sign (int argc,
char **argv,
GCancellable *cancellable,
GError **error)
{
gboolean ret = FALSE;
GOptionContext *context = g_option_context_new ("- Use rpm-sign to sign an OSTree commit");
gs_unref_object GFile *repopath = NULL;
gs_unref_object OstreeRepo *repo = NULL;
gs_unref_object GFile *tmp_commitdata_file = NULL;
gs_unref_object GFileIOStream *tmp_sig_stream = NULL;
gs_unref_object GFile *tmp_sig_file = NULL;
gs_unref_object GFileIOStream *tmp_commitdata_stream = NULL;
GOutputStream *tmp_commitdata_output = NULL;
gs_unref_object GInputStream *commit_data = NULL;
gs_free char *checksum = NULL;
gs_unref_variant GVariant *commit_variant = NULL;
gs_unref_bytes GBytes *commit_bytes = NULL;
if (!rpmostree_option_context_parse (context, option_entries, &argc, &argv, error))
goto out;
if (!(opt_repo_path && opt_key_id && opt_rev))
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"Missing required argument");
goto out;
}
repopath = g_file_new_for_path (opt_repo_path);
repo = ostree_repo_new (repopath);
if (!ostree_repo_open (repo, cancellable, error))
goto out;
if (!ostree_repo_resolve_rev (repo, opt_rev, FALSE, &checksum, error))
goto out;
if (!ostree_repo_load_variant (repo, OSTREE_OBJECT_TYPE_COMMIT,
checksum, &commit_variant, error))
goto out;
commit_bytes = g_variant_get_data_as_bytes (commit_variant);
commit_data = (GInputStream*)g_memory_input_stream_new_from_bytes (commit_bytes);
tmp_commitdata_file = g_file_new_tmp ("tmpsigXXXXXX", &tmp_commitdata_stream,
error);
if (!tmp_commitdata_file)
goto out;
tmp_commitdata_output = (GOutputStream*)g_io_stream_get_output_stream ((GIOStream*)tmp_commitdata_stream);
if (g_output_stream_splice ((GOutputStream*)tmp_commitdata_output,
commit_data,
G_OUTPUT_STREAM_SPLICE_CLOSE_SOURCE |
G_OUTPUT_STREAM_SPLICE_CLOSE_TARGET,
cancellable, error) < 0)
goto out;
tmp_sig_file = g_file_new_tmp ("tmpsigoutXXXXXX", &tmp_sig_stream, error);
if (!tmp_sig_file)
goto out;
(void) g_io_stream_close ((GIOStream*)tmp_sig_stream, NULL, NULL);
if (!gs_subprocess_simple_run_sync (NULL, GS_SUBPROCESS_STREAM_DISPOSITION_NULL,
cancellable, error,
"rpm-sign",
"--key", opt_key_id,
"--detachsign", gs_file_get_path_cached (tmp_commitdata_file),
"--output", gs_file_get_path_cached (tmp_sig_file),
NULL))
goto out;
{
char *sigcontent = NULL;
gsize len;
gs_unref_bytes GBytes *sigbytes = NULL;
if (!g_file_load_contents (tmp_sig_file, cancellable, &sigcontent, &len, NULL,
error))
goto out;
sigbytes = g_bytes_new_take (sigcontent, len);
if (!ostree_repo_append_gpg_signature (repo, checksum, sigbytes,
cancellable, error))
goto out;
}
g_print ("Successfully signed OSTree commit=%s with key=%s\n",
checksum, opt_key_id);
ret = TRUE;
out:
if (tmp_commitdata_file)
(void) gs_file_unlink (tmp_commitdata_file, NULL, NULL);
if (tmp_sig_file)
(void) gs_file_unlink (tmp_sig_file, NULL, NULL);
return ret;
}
/**
* gs_plugin_file_to_app:
*/
gboolean
gs_plugin_file_to_app (GsPlugin *plugin,
GList **list,
GFile *file,
GCancellable *cancellable,
GError **error)
{
g_autofree gchar *content_type = NULL;
g_autofree gchar *id_prefixed = NULL;
g_autoptr(GBytes) appstream_gz = NULL;
g_autoptr(GBytes) icon_data = NULL;
g_autoptr(GBytes) metadata = NULL;
g_autoptr(GsApp) app = NULL;
g_autoptr(XdgAppBundleRef) xref_bundle = NULL;
const gchar *mimetypes[] = {
"application/vnd.xdgapp",
NULL };
/* does this match any of the mimetypes we support */
content_type = gs_utils_get_content_type (file, cancellable, error);
if (content_type == NULL)
return FALSE;
if (!g_strv_contains (mimetypes, content_type))
return TRUE;
/* load bundle */
xref_bundle = xdg_app_bundle_ref_new (file, error);
if (xref_bundle == NULL) {
g_prefix_error (error, "error loading bundle: ");
return FALSE;
}
/* create a virtual ID */
id_prefixed = gs_plugin_xdg_app_build_id (XDG_APP_REF (xref_bundle));
/* load metadata */
app = gs_app_new (id_prefixed);
gs_app_set_kind (app, AS_APP_KIND_DESKTOP);
gs_app_set_state (app, AS_APP_STATE_AVAILABLE_LOCAL);
gs_app_set_size_installed (app, xdg_app_bundle_ref_get_installed_size (xref_bundle));
gs_plugin_xdg_app_set_metadata (app, XDG_APP_REF (xref_bundle));
metadata = xdg_app_bundle_ref_get_metadata (xref_bundle);
if (!gs_plugin_xdg_app_set_app_metadata (app,
g_bytes_get_data (metadata, NULL),
g_bytes_get_size (metadata),
error))
return FALSE;
/* load AppStream */
appstream_gz = xdg_app_bundle_ref_get_appstream (xref_bundle);
if (appstream_gz != NULL) {
g_autoptr(GZlibDecompressor) decompressor = NULL;
g_autoptr(GInputStream) stream_gz = NULL;
g_autoptr(GInputStream) stream_data = NULL;
g_autoptr(GBytes) appstream = NULL;
g_autoptr(AsStore) store = NULL;
g_autofree gchar *id = NULL;
AsApp *item;
/* decompress data */
decompressor = g_zlib_decompressor_new (G_ZLIB_COMPRESSOR_FORMAT_GZIP);
stream_gz = g_memory_input_stream_new_from_bytes (appstream_gz);
if (stream_gz == NULL)
return FALSE;
stream_data = g_converter_input_stream_new (stream_gz,
G_CONVERTER (decompressor));
appstream = g_input_stream_read_bytes (stream_data,
0x100000, /* 1Mb */
cancellable,
error);
if (appstream == NULL)
return FALSE;
store = as_store_new ();
if (!as_store_from_bytes (store, appstream, cancellable, error))
return FALSE;
/* find app */
id = g_strdup_printf ("%s.desktop", gs_app_get_xdgapp_name (app));
item = as_store_get_app_by_id (store, id);
if (item == NULL) {
g_set_error (error,
GS_PLUGIN_ERROR,
GS_PLUGIN_ERROR_FAILED,
"application %s not found",
id);
return FALSE;
}
/* copy details from AppStream to app */
if (!gs_appstream_refine_app (plugin, app, item, error))
return FALSE;
}
/* load icon */
icon_data = xdg_app_bundle_ref_get_icon (xref_bundle,
64 * gs_plugin_get_scale (plugin));
if (icon_data == NULL)
icon_data = xdg_app_bundle_ref_get_icon (xref_bundle, 64);
if (icon_data != NULL) {
g_autoptr(GInputStream) stream_icon = NULL;
g_autoptr(GdkPixbuf) pixbuf = NULL;
stream_icon = g_memory_input_stream_new_from_bytes (icon_data);
pixbuf = gdk_pixbuf_new_from_stream (stream_icon, cancellable, error);
if (pixbuf == NULL)
return FALSE;
gs_app_set_pixbuf (app, pixbuf);
} else {
g_autoptr(AsIcon) icon = NULL;
icon = as_icon_new ();
as_icon_set_kind (icon, AS_ICON_KIND_STOCK);
as_icon_set_name (icon, "application-x-executable");
gs_app_set_icon (app, icon);
}
/* not quite true: this just means we can update this specific app */
if (xdg_app_bundle_ref_get_origin (xref_bundle))
gs_app_add_quirk (app, AS_APP_QUIRK_HAS_SOURCE);
g_debug ("created local app: %s", gs_app_to_string (app));
gs_app_list_add (list, app);
return TRUE;
}
gboolean
install_bundle (XdgAppDir *dir,
GOptionContext *context,
int argc, char **argv,
GCancellable *cancellable,
GError **error)
{
gboolean ret = FALSE;
g_autoptr(GFile) deploy_base = NULL;
g_autoptr(GFile) file = NULL;
g_autoptr(GFile) gpg_tmp_file = NULL;
const char *filename;
g_autofree char *ref = NULL;
g_autofree char *origin = NULL;
gboolean created_deploy_base = FALSE;
gboolean added_remote = FALSE;
g_autofree char *to_checksum = NULL;
g_auto(GStrv) parts = NULL;
g_autoptr(GBytes) gpg_data = NULL;
g_autofree char *remote = NULL;
OstreeRepo *repo;
g_autoptr(OstreeGpgVerifyResult) gpg_result = NULL;
g_autoptr(GError) my_error = NULL;
g_auto(GLnxLockFile) lock = GLNX_LOCK_FILE_INIT;
if (argc < 2)
return usage_error (context, "bundle filename must be specified", error);
filename = argv[1];
repo = xdg_app_dir_get_repo (dir);
if (!xdg_app_supports_bundles (repo))
return xdg_app_fail (error, "Your version of ostree is too old to support single-file bundles");
if (!xdg_app_dir_lock (dir, &lock,
cancellable, error))
goto out;
file = g_file_new_for_commandline_arg (filename);
{
g_autoptr(GVariant) delta = NULL;
g_autoptr(GVariant) metadata = NULL;
g_autoptr(GBytes) bytes = NULL;
g_autoptr(GVariant) to_csum_v = NULL;
g_autoptr(GVariant) gpg_value = NULL;
GMappedFile *mfile = g_mapped_file_new (gs_file_get_path_cached (file), FALSE, error);
if (mfile == NULL)
return FALSE;
bytes = g_mapped_file_get_bytes (mfile);
g_mapped_file_unref (mfile);
delta = g_variant_new_from_bytes (G_VARIANT_TYPE (OSTREE_STATIC_DELTA_SUPERBLOCK_FORMAT), bytes, FALSE);
g_variant_ref_sink (delta);
to_csum_v = g_variant_get_child_value (delta, 3);
if (!ostree_validate_structureof_csum_v (to_csum_v, error))
return FALSE;
to_checksum = ostree_checksum_from_bytes_v (to_csum_v);
metadata = g_variant_get_child_value (delta, 0);
if (!g_variant_lookup (metadata, "ref", "s", &ref))
return xdg_app_fail (error, "Invalid bundle, no ref in metadata");
if (!g_variant_lookup (metadata, "origin", "s", &origin))
origin = NULL;
gpg_value = g_variant_lookup_value (metadata, "gpg-keys", G_VARIANT_TYPE("ay"));
if (gpg_value)
{
gsize n_elements;
const char *data = g_variant_get_fixed_array (gpg_value, &n_elements, 1);
gpg_data = g_bytes_new (data, n_elements);
}
}
parts = xdg_app_decompose_ref (ref, error);
if (parts == NULL)
return FALSE;
deploy_base = xdg_app_dir_get_deploy_dir (dir, ref);
if (g_file_query_exists (deploy_base, cancellable))
return xdg_app_fail (error, "%s branch %s already installed", parts[1], parts[3]);
if (opt_gpg_file != NULL)
{
/* Override gpg_data from file */
gpg_data = read_gpg_data (cancellable, error);
if (gpg_data == NULL)
return FALSE;
}
/* Add a remote for later updates */
if (origin != NULL)
{
g_auto(GStrv) remotes = ostree_repo_remote_list (repo, NULL);
int version = 0;
do
{
g_autofree char *name = NULL;
if (version == 0)
name = g_strdup_printf ("%s-origin", parts[1]);
else
name = g_strdup_printf ("%s-%d-origin", parts[1], version);
version++;
if (remotes == NULL ||
!g_strv_contains ((const char * const *) remotes, name))
remote = g_steal_pointer (&name);
}
while (remote == NULL);
}
if (!ostree_repo_prepare_transaction (repo, NULL, cancellable, error))
return FALSE;
ostree_repo_transaction_set_ref (repo, remote, ref, to_checksum);
if (!ostree_repo_static_delta_execute_offline (repo,
file,
FALSE,
cancellable,
error))
return FALSE;
if (gpg_data)
{
g_autoptr(GFileIOStream) stream;
GOutputStream *o;
gpg_tmp_file = g_file_new_tmp (".xdg-app-XXXXXX", &stream, error);
if (gpg_tmp_file == NULL)
return FALSE;
o = g_io_stream_get_output_stream (G_IO_STREAM (stream));
if (!g_output_stream_write_all (o, g_bytes_get_data (gpg_data, NULL), g_bytes_get_size (gpg_data), NULL, cancellable, error))
return FALSE;
}
gpg_result = ostree_repo_verify_commit_ext (repo,
to_checksum,
NULL, gpg_tmp_file, cancellable, &my_error);
if (gpg_tmp_file)
g_file_delete (gpg_tmp_file, cancellable, NULL);
if (gpg_result == NULL)
{
/* NOT_FOUND means no gpg signature, we ignore this *if* there
* is no gpg key specified in the bundle or by the user */
if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_NOT_FOUND) &&
gpg_data == NULL)
g_clear_error (&my_error);
else
{
g_propagate_error (error, g_steal_pointer (&my_error));
return FALSE;
}
}
else
{
/* If there is no valid gpg signature we fail, unless there is no gpg
key specified (on the command line or in the file) because then we
trust the source bundle. */
if (ostree_gpg_verify_result_count_valid (gpg_result) == 0 &&
gpg_data != NULL)
return xdg_app_fail (error, "GPG signatures found, but none are in trusted keyring");
}
if (!ostree_repo_commit_transaction (repo, NULL, cancellable, error))
return FALSE;
if (!g_file_make_directory_with_parents (deploy_base, cancellable, error))
return FALSE;
/* From here we need to goto out on error, to clean up */
created_deploy_base = TRUE;
if (remote)
{
g_autoptr(GVariantBuilder) optbuilder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
g_autofree char *basename = g_file_get_basename (file);
g_variant_builder_add (optbuilder, "{s@v}",
"xa.title",
g_variant_new_variant (g_variant_new_string (basename)));
g_variant_builder_add (optbuilder, "{s@v}",
"xa.noenumerate",
g_variant_new_variant (g_variant_new_boolean (TRUE)));
g_variant_builder_add (optbuilder, "{s@v}",
"xa.prio",
g_variant_new_variant (g_variant_new_string ("0")));
if (!ostree_repo_remote_add (repo,
remote, origin, g_variant_builder_end (optbuilder), cancellable, error))
goto out;
added_remote = TRUE;
if (gpg_data)
{
g_autoptr(GInputStream) gpg_data_as_stream = g_memory_input_stream_new_from_bytes (gpg_data);
if (!ostree_repo_remote_gpg_import (repo, remote, gpg_data_as_stream,
NULL, NULL, cancellable, error))
goto out;
}
if (!xdg_app_dir_set_origin (dir, ref, remote, cancellable, error))
goto out;
}
if (!xdg_app_dir_deploy (dir, ref, to_checksum, cancellable, error))
goto out;
if (!xdg_app_dir_make_current_ref (dir, ref, cancellable, error))
goto out;
if (strcmp (parts[0], "app") == 0)
{
if (!xdg_app_dir_update_exports (dir, parts[1], cancellable, error))
goto out;
}
glnx_release_lock_file (&lock);
xdg_app_dir_cleanup_removed (dir, cancellable, NULL);
if (!xdg_app_dir_mark_changed (dir, error))
goto out;
ret = TRUE;
out:
if (created_deploy_base && !ret)
gs_shutil_rm_rf (deploy_base, cancellable, NULL);
if (added_remote && !ret)
ostree_repo_remote_delete (repo, remote, NULL, NULL);
return ret;
}
/**
* ot_file_replace_contents_at:
*
* Like g_file_replace_contents(), except using a fd-relative
* directory, and optionally enforces use of fdatasync().
*/
gboolean
ot_file_replace_contents_at (int dfd,
const char *path,
GBytes *contents,
gboolean datasync,
GCancellable *cancellable,
GError **error)
{
gboolean ret = FALSE;
int fd;
g_autofree char *tmpname = NULL;
g_autoptr(GOutputStream) stream = NULL;
g_autoptr(GInputStream) instream = NULL;
if (!gs_file_open_in_tmpdir_at (dfd, 0644,
&tmpname, &stream,
cancellable, error))
goto out;
g_assert (G_IS_FILE_DESCRIPTOR_BASED (stream));
fd = g_file_descriptor_based_get_fd (G_FILE_DESCRIPTOR_BASED (stream));
instream = g_memory_input_stream_new_from_bytes (contents);
if (g_bytes_get_size (contents) > 0)
{
int r = posix_fallocate (fd, 0, g_bytes_get_size (contents));
if (r != 0)
{
/* posix_fallocate is a weird deviation from errno standards */
errno = r;
glnx_set_error_from_errno (error);
goto out;
}
}
if (g_output_stream_splice (stream, instream, 0,
cancellable, error) < 0)
goto out;
if (datasync && fdatasync (fd) != 0)
{
glnx_set_error_from_errno (error);
goto out;
}
if (!g_output_stream_close (stream, cancellable, error))
goto out;
if (renameat (dfd, tmpname, dfd, path) == -1)
{
glnx_set_error_from_errno (error);
goto out;
}
g_clear_pointer (&tmpname, g_free);
ret = TRUE;
out:
if (tmpname)
(void) unlinkat (dfd, tmpname, 0);
return ret;
}
static gboolean
as_store_cab_from_bytes_with_origin (AsStore *store,
GBytes *bytes,
const gchar *basename,
GCancellable *cancellable,
GError **error)
{
g_autoptr(GCabCabinet) gcab = NULL;
g_autoptr(GError) error_local = NULL;
g_autofree gchar *tmp_path = NULL;
g_autoptr(GFile) tmp_file = NULL;
g_autoptr(GInputStream) input_stream = NULL;
g_autoptr(GPtrArray) filelist = NULL;
guint i;
/* open the file */
gcab = gcab_cabinet_new ();
input_stream = g_memory_input_stream_new_from_bytes (bytes);
if (!gcab_cabinet_load (gcab, input_stream, NULL, &error_local)) {
g_set_error (error,
AS_STORE_ERROR,
AS_STORE_ERROR_FAILED,
"cannot load .cab file: %s",
error_local->message);
return FALSE;
}
/* decompress to /tmp */
tmp_path = g_dir_make_tmp ("appstream-glib-XXXXXX", &error_local);
if (tmp_path == NULL) {
g_set_error (error,
AS_STORE_ERROR,
AS_STORE_ERROR_FAILED,
"failed to create temp dir: %s",
error_local->message);
return FALSE;
}
/* extract the entire cab file */
filelist = g_ptr_array_new_with_free_func (g_free);
tmp_file = g_file_new_for_path (tmp_path);
if (!gcab_cabinet_extract_simple (gcab, tmp_file,
as_store_cab_cb,
filelist, NULL, &error_local)) {
g_set_error (error,
AS_STORE_ERROR,
AS_STORE_ERROR_FAILED,
"failed to extract .cab file: %s",
error_local->message);
return FALSE;
}
/* loop through each file looking for components */
for (i = 0; i < filelist->len; i++) {
AsRelease *rel;
AsChecksum *csum_tmp;
const gchar *fn;
g_autofree gchar *tmp_fn = NULL;
g_autoptr(AsApp) app = NULL;
/* debug */
fn = g_ptr_array_index (filelist, i);
g_debug ("found file %u\t%s", i, fn);
/* if inf or metainfo, add */
if (as_format_guess_kind (fn) != AS_FORMAT_KIND_METAINFO)
continue;
tmp_fn = g_build_filename (tmp_path, fn, NULL);
app = as_app_new ();
if (!as_app_parse_file (app, tmp_fn,
AS_APP_PARSE_FLAG_NONE, &error_local)) {
g_set_error (error,
AS_STORE_ERROR,
AS_STORE_ERROR_FAILED,
"%s could not be loaded: %s",
tmp_fn,
error_local->message);
return FALSE;
}
/* only process the latest release */
rel = as_app_get_release_default (app);
if (rel == NULL) {
g_set_error_literal (error,
AS_STORE_ERROR,
AS_STORE_ERROR_FAILED,
"no releases in metainfo file");
return FALSE;
}
/* ensure we always have a container checksum */
csum_tmp = as_release_get_checksum_by_target (rel, AS_CHECKSUM_TARGET_CONTAINER);
if (csum_tmp == NULL) {
g_autoptr(AsChecksum) csum = NULL;
csum = as_checksum_new ();
as_checksum_set_target (csum, AS_CHECKSUM_TARGET_CONTAINER);
if (basename != NULL)
as_checksum_set_filename (csum, basename);
as_release_add_checksum (rel, csum);
}
/* set the container checksum */
if (!as_store_cab_verify_checksum_cab (rel, bytes, error))
return FALSE;
/* this is the size of the cab file itself */
if (as_release_get_size (rel, AS_SIZE_KIND_DOWNLOAD) == 0)
as_release_set_size (rel, AS_SIZE_KIND_DOWNLOAD,
g_bytes_get_size (bytes));
/* ensure we always have a content checksum */
csum_tmp = as_release_get_checksum_by_target (rel, AS_CHECKSUM_TARGET_CONTENT);
if (csum_tmp == NULL) {
g_autoptr(AsChecksum) csum = NULL;
csum = as_checksum_new ();
as_checksum_set_target (csum, AS_CHECKSUM_TARGET_CONTENT);
/* if this isn't true, a firmware needs to set in
* the metainfo.xml file something like:
* <checksum target="content" filename="FLASH.ROM"/> */
as_checksum_set_filename (csum, "firmware.bin");
as_release_add_checksum (rel, csum);
csum_tmp = csum;
}
if (!as_store_cab_verify_checksum_fw (csum_tmp, tmp_path, error))
return FALSE;
/* set blobs */
if (!as_store_cab_set_release_blobs (rel, tmp_path, error))
return FALSE;
/* add any component to the store */
as_store_add_app (store, app);
}
/* delete temp files */
for (i = 0; i < filelist->len; i++) {
const gchar *fn;
g_autofree gchar *tmp_fn = NULL;
fn = g_ptr_array_index (filelist, i);
tmp_fn = g_build_filename (tmp_path, fn, NULL);
g_unlink (tmp_fn);
}
g_rmdir (tmp_path);
/* success */
return TRUE;
}
int
rpmostree_compose_builtin_sign (int argc,
char **argv,
GCancellable *cancellable,
GError **error)
{
int exit_status = EXIT_FAILURE;
GOptionContext *context = g_option_context_new ("- Use rpm-sign to sign an OSTree commit");
g_autoptr(GFile) repopath = NULL;
glnx_unref_object OstreeRepo *repo = NULL;
g_autoptr(GFile) tmp_commitdata_file = NULL;
g_autoptr(GFileIOStream) tmp_sig_stream = NULL;
g_autoptr(GFile) tmp_sig_file = NULL;
g_autoptr(GFileIOStream) tmp_commitdata_stream = NULL;
GOutputStream *tmp_commitdata_output = NULL;
g_autoptr(GInputStream) commit_data = NULL;
g_autofree char *checksum = NULL;
g_autoptr(GVariant) commit_variant = NULL;
g_autoptr(GBytes) commit_bytes = NULL;
if (!rpmostree_option_context_parse (context,
option_entries,
&argc, &argv,
RPM_OSTREE_BUILTIN_FLAG_LOCAL_CMD,
cancellable,
NULL,
error))
goto out;
if (!(opt_repo_path && opt_key_id && opt_rev))
{
rpmostree_usage_error (context, "Missing required argument", error);
goto out;
}
repopath = g_file_new_for_path (opt_repo_path);
repo = ostree_repo_new (repopath);
if (!ostree_repo_open (repo, cancellable, error))
goto out;
if (!ostree_repo_resolve_rev (repo, opt_rev, FALSE, &checksum, error))
goto out;
if (!ostree_repo_load_variant (repo, OSTREE_OBJECT_TYPE_COMMIT,
checksum, &commit_variant, error))
goto out;
commit_bytes = g_variant_get_data_as_bytes (commit_variant);
commit_data = (GInputStream*)g_memory_input_stream_new_from_bytes (commit_bytes);
tmp_commitdata_file = g_file_new_tmp ("tmpsigXXXXXX", &tmp_commitdata_stream,
error);
if (!tmp_commitdata_file)
goto out;
tmp_commitdata_output = (GOutputStream*)g_io_stream_get_output_stream ((GIOStream*)tmp_commitdata_stream);
if (g_output_stream_splice ((GOutputStream*)tmp_commitdata_output,
commit_data,
G_OUTPUT_STREAM_SPLICE_CLOSE_SOURCE |
G_OUTPUT_STREAM_SPLICE_CLOSE_TARGET,
cancellable, error) < 0)
goto out;
tmp_sig_file = g_file_new_tmp ("tmpsigoutXXXXXX", &tmp_sig_stream, error);
if (!tmp_sig_file)
goto out;
(void) g_io_stream_close ((GIOStream*)tmp_sig_stream, NULL, NULL);
{ const char *child_argv[] = { "rpm-sign",
"--key", opt_key_id,
"--detachsign", gs_file_get_path_cached (tmp_commitdata_file),
"--output", gs_file_get_path_cached (tmp_sig_file),
NULL };
int estatus;
if (!g_spawn_sync (NULL, (char**)child_argv, NULL, G_SPAWN_SEARCH_PATH, NULL, NULL,
NULL, NULL, &estatus, error))
goto out;
if (!g_spawn_check_exit_status (estatus, error))
goto out;
}
{
char *sigcontent = NULL;
gsize len;
g_autoptr(GBytes) sigbytes = NULL;
if (!g_file_load_contents (tmp_sig_file, cancellable, &sigcontent, &len, NULL,
error))
goto out;
sigbytes = g_bytes_new_take (sigcontent, len);
if (!ostree_repo_append_gpg_signature (repo, checksum, sigbytes,
cancellable, error))
goto out;
}
g_print ("Successfully signed OSTree commit=%s with key=%s\n",
checksum, opt_key_id);
exit_status = EXIT_SUCCESS;
out:
if (tmp_commitdata_file)
(void) unlink (gs_file_get_path_cached (tmp_commitdata_file));
if (tmp_sig_file)
(void) unlink (gs_file_get_path_cached (tmp_sig_file));
return exit_status;
}
