From 0adb2575fe42cc4e65b4dec20a9edfe270266164 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 5 Jun 2014 15:50:21 -0400 Subject: [PATCH 1/3] update: add stricter checking when updating repo index using rsync rsync uses the modification time and size of the file when deciding whether to update a file. These are relatively easy to control in malicious code, so instead make rsync use a full MD5 checksum when decided whether the index needs to be updated. I suppose we could add an option to use checksum checking on all files, but since the signed repo already provides a checksum check, it seems not worth the added load on the process. Also, renamed 'index' to 'indexxml' to make it clear what is the XML and what is the JAR. --- fdroidserver/server.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/fdroidserver/server.py b/fdroidserver/server.py index 3bf5e581..833a88e0 100644 --- a/fdroidserver/server.py +++ b/fdroidserver/server.py @@ -116,23 +116,24 @@ def update_awsbucket(repo_section): def update_serverwebroot(repo_section): - rsyncargs = ['rsync', '-u', '-r', '--delete'] + rsyncargs = ['rsync', '--update', '--recursive', '--delete'] if options.verbose: rsyncargs += ['--verbose'] if options.quiet: rsyncargs += ['--quiet'] - index = os.path.join(repo_section, 'index.xml') + indexxml = os.path.join(repo_section, 'index.xml') indexjar = os.path.join(repo_section, 'index.jar') # serverwebroot is guaranteed to have a trailing slash in common.py if subprocess.call(rsyncargs + - ['--exclude', index, '--exclude', indexjar, + ['--exclude', indexxml, '--exclude', indexjar, repo_section, config['serverwebroot']]) != 0: sys.exit(1) - if subprocess.call(rsyncargs + - [index, config['serverwebroot'] + repo_section]) != 0: + # use stricter checking on the indexes since they provide the signature + rsyncargs += ['--checksum'] + sectionpath = config['serverwebroot'] + repo_section + if subprocess.call(rsyncargs + [indexxml, sectionpath]) != 0: sys.exit(1) - if subprocess.call(rsyncargs + - [indexjar, config['serverwebroot'] + repo_section]) != 0: + if subprocess.call(rsyncargs + [indexjar, sectionpath]) != 0: sys.exit(1) From e68413a752090628b77df9734fa343fa2b3cfd54 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 5 Jun 2014 16:21:12 -0400 Subject: [PATCH 2/3] server: specify an identity file for SSH when rsyncing This allows the SSH key used to sync with the server to be specified via the config.py or the command line. I need it for running automated tests and setups. --- completion/bash-completion | 4 ++-- examples/config.py | 3 +++ fdroidserver/server.py | 6 ++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/completion/bash-completion b/completion/bash-completion index 5916c669..42be8de3 100644 --- a/completion/bash-completion +++ b/completion/bash-completion @@ -247,8 +247,8 @@ __complete_stats() { } __complete_server() { - opts="-h -v -q" - lopts="--help --verbose --quiet update" + opts="-h -i -v -q" + lopts="--help --identity-file --verbose --quiet update" __complete_options } diff --git a/examples/config.py b/examples/config.py index 501a4f1e..df1ec79b 100644 --- a/examples/config.py +++ b/examples/config.py @@ -105,6 +105,9 @@ keyaliases['com.example.another.plugin'] = '@com.example.another' # sub-directories (i.e. /var/www/packagerepos/fdroid). # serverwebroot = 'user@example:/var/www/fdroid' +# optionally specific which identity file to use when using rsync over SSH +# identity_file = '~/.ssh/fdroid_id_rsa' + # To upload the repo to an Amazon S3 bucket using `fdroid server update`. # Warning, this deletes and recreates the whole fdroid/ directory each # time. This is based on apache-libcloud, which supports basically all cloud diff --git a/fdroidserver/server.py b/fdroidserver/server.py index 833a88e0..0d5874ec 100644 --- a/fdroidserver/server.py +++ b/fdroidserver/server.py @@ -121,6 +121,10 @@ def update_serverwebroot(repo_section): rsyncargs += ['--verbose'] if options.quiet: rsyncargs += ['--quiet'] + if options.identity_file is not None: + rsyncargs += ['-e', 'ssh -i ' + options.identity_file] + if 'identity_file' in config: + rsyncargs += ['-e', 'ssh -i ' + config['identity_file']] indexxml = os.path.join(repo_section, 'index.xml') indexjar = os.path.join(repo_section, 'index.jar') # serverwebroot is guaranteed to have a trailing slash in common.py @@ -142,6 +146,8 @@ def main(): # Parse command line... parser = OptionParser() + parser.add_option("-i", "--identity-file", default=None, + help="Specify an identity file to provide to SSH for rsyncing") parser.add_option("-v", "--verbose", action="store_true", default=False, help="Spew out even more information than normal") parser.add_option("-q", "--quiet", action="store_true", default=False, From 97334286eaf77d6090adccb3e96374b6a21c901a Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 5 Jun 2014 16:55:52 -0400 Subject: [PATCH 3/3] tests: turn off unneeded debug logging during APK copying The whole process of finding and copying APKs can be very verbose, so turn of the bash verbose logging during that process. --- tests/run-tests | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/run-tests b/tests/run-tests index baa239ec..08f59585 100755 --- a/tests/run-tests +++ b/tests/run-tests @@ -1,7 +1,7 @@ #!/bin/bash -set -e -set -x +set -e # quit script on error +set -x # show each command as it is executed echo_header() { echo "==============================================================================" @@ -9,6 +9,7 @@ echo_header() { } copy_apks_into_repo() { + set +x for f in `find $APKDIR -name '*.apk' | grep -F -v -e unaligned -e unsigned`; do name=$(basename $(dirname `dirname $f`)) apk=`aapt dump badging "$f" | sed -n "s,^package: name='\(.*\)' versionCode='\([0-9][0-9]*\)' .*,\1_\2.apk,p"` @@ -19,6 +20,7 @@ copy_apks_into_repo() { rsync -axv $f $1/repo/$apk # rsync if hard link is not possible fi done + set -x } create_fake_android_home() {