lib/gpg: Provide the public key to the duplicate check

Add keys from the signing homedir to the GpgVerifier used to look
for duplicate signatures. This will allow signatures from subkeys
to be canonicalised and recognised as already signed despite the
differing key ID, avoiding duplicate signatures.

Closes: https://github.com/ostreedev/ostree/issues/608
Closes: #1092
Approved by: cgwalters

diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
index e7807d119d67719bcb2d384e63ffe915fa0be76a..7ad2019eba91114bf5e57a36a315f684bea10824 100644 (file)
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@@ -4261,11 +4261,14 @@ ostree_repo_sign_commit (OstreeRepo     *self,
 
   /* The verify operation is merely to parse any existing signatures to
    * check if the commit has already been signed with the given key ID.
-   * We want to avoid storing duplicate signatures in the metadata. */
+   * We want to avoid storing duplicate signatures in the metadata. We
+   * pass the homedir so that the signing key can be imported, allowing
+   * subkey signatures to be recognised. */
   g_autoptr(GError) local_error = NULL;
+  g_autoptr(GFile) verify_keydir = g_file_new_for_path (homedir);
   g_autoptr(OstreeGpgVerifyResult) result
     =_ostree_repo_gpg_verify_with_metadata (self, commit_data, old_metadata,
-                                            NULL, NULL, NULL,
+                                            NULL, verify_keydir, NULL,
                                             cancellable, &local_error);
   if (!result)
     {