Browse Source

gpg-sign all valid files in the repo, including source tarballs

This makes sure there is a GPG signature on any file that is included in
the repo, including APKs, OBB, source tarballs, media files, OTA update
ZIPs, etc.  Having a GPG signature is more important on non-APK files since
they mostly do not have any signature mechanism of their own.

This also adds basic tests of adding non-APK/OBB files to a repo with
`fdroid update`.

closes #232
merge-requests/181/head
Hans-Christoph Steiner 4 years ago
parent
commit
56d51fcd6b
11 changed files with 35 additions and 11 deletions
  1. +1
    -1
      examples/config.py
  2. +11
    -0
      fdroidserver/common.py
  3. +9
    -6
      fdroidserver/gpgsign.py
  4. +1
    -3
      fdroidserver/update.py
  5. BIN
      tests/gnupghome/pubring.gpg
  6. BIN
      tests/gnupghome/random_seed
  7. BIN
      tests/gnupghome/secring.gpg
  8. BIN
      tests/gnupghome/trustdb.gpg
  9. BIN
      tests/repo/fake.ota.update_1234.zip
  10. BIN
      tests/repo/obb.main.twoversions_1101617_src.tar.gz
  11. +13
    -1
      tests/run-tests

+ 1
- 1
examples/config.py View File

@ -86,7 +86,7 @@ The repository of older versions of applications from the main demo repository.
# current_version_name_source = 'id'
# Optionally, override home directory for gpg
# gpghome = /home/fdroid/somewhere/else/.gnupg
# gpghome = '/home/fdroid/somewhere/else/.gnupg'
# The ID of a GPG key for making detached signatures for apks. Optional.
# gpgkey = '1DBA2E89'

+ 11
- 0
fdroidserver/common.py View File

@ -2084,3 +2084,14 @@ def get_per_app_repos():
repos.append(d)
break
return repos
def is_repo_file(filename):
'''Whether the file in a repo is a build product to be delivered to users'''
return os.path.isfile(filename) \
and os.path.basename(filename) not in [
'index.jar',
'index.xml',
'index.html',
'categories.txt',
]

+ 9
- 6
fdroidserver/gpgsign.py View File

@ -50,10 +50,13 @@ def main():
sys.exit(1)
# Process any apks that are waiting to be signed...
for apkfile in sorted(glob.glob(os.path.join(output_dir, '*.apk'))):
apkfilename = os.path.basename(apkfile)
sigfilename = apkfilename + ".asc"
for f in sorted(glob.glob(os.path.join(output_dir, '*.*'))):
if common.get_file_extension(f) == 'asc':
continue
if not common.is_repo_file(f):
continue
filename = os.path.basename(f)
sigfilename = filename + ".asc"
sigpath = os.path.join(output_dir, sigfilename)
if not os.path.exists(sigpath):
@ -64,13 +67,13 @@ def main():
gpgargs.extend(['--homedir', config['gpghome']])
if 'gpgkey' in config:
gpgargs.extend(['--local-user', config['gpgkey']])
gpgargs.append(os.path.join(output_dir, apkfilename))
gpgargs.append(os.path.join(output_dir, filename))
p = FDroidPopen(gpgargs)
if p.returncode != 0:
logging.error("Signing failed.")
sys.exit(1)
logging.info('Signed ' + apkfilename)
logging.info('Signed ' + filename)
if __name__ == "__main__":

+ 1
- 3
fdroidserver/update.py View File

@ -517,13 +517,11 @@ def scan_repo_files(apkcache, repodir, knownapks, use_date_from_file=False):
cachechanged = False
repo_files = []
for name in os.listdir(repodir):
if name in ['index.jar', 'index.xml', 'index.html', 'categories.txt', ]:
continue
file_extension = common.get_file_extension(name)
if file_extension == 'apk' or file_extension == 'obb':
continue
filename = os.path.join(repodir, name)
if not os.path.isfile(filename):
if not common.is_repo_file(name):
continue
stat = os.stat(filename)
if stat.st_size == 0:

BIN
tests/gnupghome/pubring.gpg View File


BIN
tests/gnupghome/random_seed View File


BIN
tests/gnupghome/secring.gpg View File


BIN
tests/gnupghome/trustdb.gpg View File


BIN
tests/repo/fake.ota.update_1234.zip View File


BIN
tests/repo/obb.main.twoversions_1101617_src.tar.gz View File


+ 13
- 1
tests/run-tests View File

@ -139,21 +139,33 @@ $fdroid update
#------------------------------------------------------------------------------#
echo_header "copy tests/repo, generate a keystore, and update"
echo_header "copy tests/repo, generate java/gpg keys, update, and gpgsign"
REPOROOT=`create_test_dir`
GNUPGHOME=$REPOROOT/gnupghome
cd $REPOROOT
$fdroid init
cp -a $WORKSPACE/tests/metadata $WORKSPACE/tests/repo $REPOROOT/
cp -a $WORKSPACE/tests/gnupghome $GNUPGHOME
chmod 0700 $GNUPGHOME
echo "accepted_formats = ['json', 'txt', 'xml', 'yml']" >> config.py
echo "install_list = 'org.adaway'" >> config.py
echo "uninstall_list = {'com.android.vending', 'com.facebook.orca',}" >> config.py
echo "gpghome = '$GNUPGHOME'" >> config.py
echo "gpgkey = 'CE71F7FB'" >> config.py
$fdroid update --verbose
test -e repo/index.xml
test -e repo/index.jar
grep -F '<application id=' repo/index.xml > /dev/null
grep -F '<install packageName=' repo/index.xml > /dev/null
grep -F '<uninstall packageName=' repo/index.xml > /dev/null
$fdroid gpgsign --verbose
$fdroid gpgsign --verbose
test -e repo/obb.mainpatch.current_1619.apk.asc
test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc
! test -e repo/obb.mainpatch.current_1619.apk.asc.asc
! test -e repo/obb.main.twoversions_1101617_src.tar.gz.asc.asc
! test -e repo/index.xml.asc
#------------------------------------------------------------------------------#

Loading…
Cancel
Save