--gpg-verify-summary
--require-static-deltas
--untrusted
+ --disable-verify-bindings
"
local options_with_args="
--untrusted
--bareuseronly-files
--dry-run
+ --disable-verify-bindings
"
local options_with_args="
Do not trust source, verify checksums and don't hardlink into source.
</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>--disable-verify-bindings</option></term>
+
+ <listitem><para>
+ Disable verification of commit metadata bindings.
+ </para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
Specifies how many times each download should be retried upon error (default: 5)
</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>--disable-verify-bindings</option></term>
+
+ <listitem><para>
+ Disable verification of commit metadata bindings.
+ </para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
gboolean require_static_deltas;
gboolean disable_static_deltas;
gboolean has_tombstone_commits;
+ gboolean disable_verify_bindings;
GBytes *summary_data;
char *summary_etag;
if (!ostree_repo_load_commit (pull_data->repo, checksum, &commit, &commitstate, error))
return FALSE;
- /* If ref is non-NULL then the commit we fetched was requested through the
- * branch, otherwise we requested a commit checksum without specifying a branch.
- */
- g_autofree char *remote_collection_id = NULL;
- remote_collection_id = get_remote_repo_collection_id (pull_data);
- if (!_ostree_repo_verify_bindings (remote_collection_id,
- (ref != NULL) ? ref->ref_name : NULL,
- commit, error))
- return glnx_prefix_error (error, "Commit %s", checksum);
+ if (!pull_data->disable_verify_bindings) {
+ /* If ref is non-NULL then the commit we fetched was requested through the
+ * branch, otherwise we requested a commit checksum without specifying a branch.
+ */
+ g_autofree char *remote_collection_id = NULL;
+ remote_collection_id = get_remote_repo_collection_id (pull_data);
+ if (!_ostree_repo_verify_bindings (remote_collection_id,
+ (ref != NULL) ? ref->ref_name : NULL,
+ commit, error))
+ return glnx_prefix_error (error, "Commit %s", checksum);
+ }
guint64 new_ts = ostree_commit_get_timestamp (commit);
if (pull_data->timestamp_check)
* specified, the `summary` will be downloaded from the remote. Since: 2020.5
* * `summary-sig-bytes` (`ay`): Contents of the `summary.sig` file. If this
* is specified, `summary-bytes` must also be specified. Since: 2020.5
+ * * `disable-verify-bindings` (`b`): Disable verification of commit bindings.
+ * Since: 2020.9
*/
gboolean
ostree_repo_pull_with_options (OstreeRepo *self,
g_variant_lookup (options, "ref-keyring-map", "a(sss)", &ref_keyring_map_iter);
(void) g_variant_lookup (options, "summary-bytes", "@ay", &summary_bytes_v);
(void) g_variant_lookup (options, "summary-sig-bytes", "@ay", &summary_sig_bytes_v);
+ (void) g_variant_lookup (options, "disable-verify-bindings", "b", &pull_data->disable_verify_bindings);
if (pull_data->remote_refspec_name != NULL)
pull_data->remote_name = g_strdup (pull_data->remote_refspec_name);
static gboolean opt_require_static_deltas;
static gboolean opt_gpg_verify;
static gboolean opt_gpg_verify_summary;
+static gboolean opt_disable_verify_bindings;
static int opt_depth = 0;
/* ATTENTION:
{ "require-static-deltas", 0, 0, G_OPTION_ARG_NONE, &opt_require_static_deltas, "Require static deltas", NULL },
{ "gpg-verify", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify, "GPG verify commits (must specify --remote)", NULL },
{ "gpg-verify-summary", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify_summary, "GPG verify summary (must specify --remote)", NULL },
+ { "disable-verify-bindings", 0, 0, G_OPTION_ARG_NONE, &opt_disable_verify_bindings, "Do not verify commit bindings", NULL },
{ "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" },
{ NULL }
};
if (opt_gpg_verify_summary)
g_variant_builder_add (&builder, "{s@v}", "gpg-verify-summary",
g_variant_new_variant (g_variant_new_boolean (TRUE)));
+ g_variant_builder_add (&builder, "{s@v}", "disable-verify-bindings",
+ g_variant_new_variant (g_variant_new_boolean (opt_disable_verify_bindings)));
g_variant_builder_add (&builder, "{s@v}", "depth",
g_variant_new_variant (g_variant_new_int32 (opt_depth)));
/* local pulls always disable signapi verification. If you don't want this, use
static gboolean opt_untrusted;
static gboolean opt_http_trusted;
static gboolean opt_timestamp_check;
+static gboolean opt_disable_verify_bindings;
static char* opt_timestamp_check_from_rev;
static gboolean opt_bareuseronly_files;
static char** opt_subpaths;
{ "localcache-repo", 'L', 0, G_OPTION_ARG_FILENAME_ARRAY, &opt_localcache_repos, "Add REPO as local cache source for objects during this pull", "REPO" },
{ "timestamp-check", 'T', 0, G_OPTION_ARG_NONE, &opt_timestamp_check, "Require fetched commits to have newer timestamps", NULL },
{ "timestamp-check-from-rev", 0, 0, G_OPTION_ARG_STRING, &opt_timestamp_check_from_rev, "Require fetched commits to have newer timestamps than given rev", NULL },
+ { "disable-verify-bindings", 0, 0, G_OPTION_ARG_NONE, &opt_disable_verify_bindings, "Do not verify commit bindings", NULL },
/* let's leave this hidden for now; we just need it for tests */
{ "append-user-agent", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_STRING, &opt_append_user_agent, "Append string to user agent", NULL },
{ NULL }
if (opt_per_object_fsync)
g_variant_builder_add (&builder, "{s@v}", "per-object-fsync",
g_variant_new_variant (g_variant_new_boolean (TRUE)));
+ g_variant_builder_add (&builder, "{s@v}", "disable-verify-bindings",
+ g_variant_new_variant (g_variant_new_boolean (opt_disable_verify_bindings)));
if (opt_http_headers)
{
GVariantBuilder hdr_builder;
local branch=$3
shift 3
- if ${CMD_PREFIX} ostree "--repo=${repo}" pull "${remote_repo}-remote" "${branch}"
+ if ${CMD_PREFIX} ostree "--repo=${repo}" pull "$@" "${remote_repo}-remote" "${branch}"
then return 0
else return 1
fi
local branch=$3
shift 3
- if ${CMD_PREFIX} ostree "--repo=${repo}" pull-local "${remote_repo}" "${branch}"
+ if ${CMD_PREFIX} ostree "--repo=${repo}" pull-local "$@" "${remote_repo}" "${branch}"
then return 0
else return 1
fi
then
assert_not_reached "pulling a commit without collection ID from a repo with collection ID should fail"
fi
+do_pull local collection-repo badcref1 --disable-verify-bindings
if do_pull local collection-repo badcref2
then
assert_not_reached "pulling a commit with a mismatched collection ID from a repo with collection ID should fail"
fi
+do_pull local collection-repo badcref2 --disable-verify-bindings
if do_pull local collection-repo badcref3
then
assert_not_reached "pulling a commit with empty collection ID from repo with collection ID should fail"
fi
+do_pull local collection-repo badcref3 --disable-verify-bindings
do_pull local collection-repo goodcref1
if do_pull local collection-repo badcref4
then
assert_not_reached "pulling a commit that was not requested from repo with collection ID should fail"
fi
+do_pull local collection-repo badcref4 --disable-verify-bindings
echo "ok 5 pull refs from remote repos"
then
assert_not_reached "pulling a commit without collection ID from a repo with collection ID should fail"
fi
+do_local_pull local collection-local-repo badclref1 --disable-verify-bindings
if do_local_pull local collection-local-repo badclref2
then
assert_not_reached "pulling a commit with a mismatched collection ID from a repo with collection ID should fail"
fi
+do_local_pull local collection-local-repo badclref2 --disable-verify-bindings
if do_local_pull local collection-local-repo badclref3
then
assert_not_reached "pulling a commit with empty collection ID from repo with collection ID should fail"
fi
+do_local_pull local collection-local-repo badclref3 --disable-verify-bindings
do_local_pull local collection-local-repo goodclref1
if do_local_pull local collection-local-repo badclref4
then
assert_not_reached "pulling a commit that was not requested from repo with collection ID should fail"
fi
+do_local_pull local collection-local-repo badclref4 --disable-verify-bindings
echo "ok 6 pull refs from local repos"
projects / ostree.git / commitdiff