From: Robert McQueen <rob@endlessm.com>
Date: Thu, 3 Aug 2017 09:54:33 +0000 (+0100)
Subject: lib/gpg: Provide the public key to the duplicate check
X-Git-Tag: archive/raspbian/2022.1-3+rpi1~1^2~4^2~32^2~27
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=59dff7175eb3f8befec1c5d7532a36d8d5633873;p=ostree.git

lib/gpg: Provide the public key to the duplicate check

Add keys from the signing homedir to the GpgVerifier used to look
for duplicate signatures. This will allow signatures from subkeys
to be canonicalised and recognised as already signed despite the
differing key ID, avoiding duplicate signatures.

Closes: https://github.com/ostreedev/ostree/issues/608

Closes: #1092
Approved by: cgwalters
---

diff --git a/src/libostree/ostree-repo.c b/src/libostree/ostree-repo.c
index e7807d11..7ad2019e 100644
--- a/src/libostree/ostree-repo.c
+++ b/src/libostree/ostree-repo.c
@@ -4261,11 +4261,14 @@ ostree_repo_sign_commit (OstreeRepo     *self,
 
   /* The verify operation is merely to parse any existing signatures to
    * check if the commit has already been signed with the given key ID.
-   * We want to avoid storing duplicate signatures in the metadata. */
+   * We want to avoid storing duplicate signatures in the metadata. We
+   * pass the homedir so that the signing key can be imported, allowing
+   * subkey signatures to be recognised. */
   g_autoptr(GError) local_error = NULL;
+  g_autoptr(GFile) verify_keydir = g_file_new_for_path (homedir);
   g_autoptr(OstreeGpgVerifyResult) result
     =_ostree_repo_gpg_verify_with_metadata (self, commit_data, old_metadata,
-                                            NULL, NULL, NULL,
+                                            NULL, verify_keydir, NULL,
                                             cancellable, &local_error);
   if (!result)
     {