pull: Verify checksums from static deltas unless gpg signed summary

Otherwise untrusted repos can lie about the commit ids.

diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c
index 915385737ac7dc9f0cf2da6c745d7c6b0418c168..4c3b14bf75b55d36925b519edc3b6fd524bb3738 100644 (file)
--- a/src/libostree/ostree-repo-pull.c
+++ b/src/libostree/ostree-repo-pull.c
@@ -977,7 +977,8 @@ static_deltapart_fetch_on_complete (GObject           *object,
     _ostree_static_delta_part_execute_async (pull_data->repo,
                                              fetch_data->objects,
                                              delta_data,
-                                             TRUE,
+                                             /* Trust checksums if summary was gpg signed */
+                                             pull_data->gpg_verify_summary && pull_data->summary_data_sig,
                                              pull_data->cancellable,
                                              on_static_delta_written,
                                              fetch_data);
@@ -1629,7 +1630,8 @@ process_one_static_delta (OtPullData   *pull_data,
           _ostree_static_delta_part_execute_async (pull_data->repo,
                                                    fetch_data->objects,
                                                    delta_data,
-                                                   TRUE,
+                                                   /* Trust checksums if summary was gpg signed */
+                                                   pull_data->gpg_verify_summary && pull_data->summary_data_sig,
                                                    pull_data->cancellable,
                                                    on_static_delta_written,
                                                    fetch_data);