mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-10-01 00:30:13 +02:00
Merge branch 'fix-virustotal-from-mirror' into 'master'
Fix virustotal from mirror See merge request fdroid/fdroidserver!604
This commit is contained in:
commit
9c900ed63c
@ -687,15 +687,18 @@ def get_mirror_service_urls(url):
|
||||
|
||||
|
||||
def download_repo_index(url_str, etag=None, verify_fingerprint=True):
|
||||
"""
|
||||
Downloads the repository index from the given :param url_str
|
||||
and verifies the repository's fingerprint if :param verify_fingerprint is not False.
|
||||
"""Downloads and verifies index file, then returns its data.
|
||||
|
||||
Downloads the repository index from the given :param url_str and
|
||||
verifies the repository's fingerprint if :param verify_fingerprint
|
||||
is not False.
|
||||
|
||||
:raises: VerificationException() if the repository could not be verified
|
||||
|
||||
:return: A tuple consisting of:
|
||||
- The index in JSON format or None if the index did not change
|
||||
- The new eTag as returned by the HTTP request
|
||||
|
||||
"""
|
||||
url = urllib.parse.urlsplit(url_str)
|
||||
|
||||
@ -713,32 +716,31 @@ def download_repo_index(url_str, etag=None, verify_fingerprint=True):
|
||||
return None, new_etag
|
||||
|
||||
with tempfile.NamedTemporaryFile() as fp:
|
||||
# write and open JAR file
|
||||
fp.write(download)
|
||||
jar = zipfile.ZipFile(fp)
|
||||
|
||||
# verify that the JAR signature is valid
|
||||
logging.debug(_('Verifying index signature:'))
|
||||
common.verify_jar_signature(fp.name)
|
||||
|
||||
# get public key and its fingerprint from JAR
|
||||
public_key, public_key_fingerprint = get_public_key_from_jar(jar)
|
||||
|
||||
# compare the fingerprint if verify_fingerprint is True
|
||||
if verify_fingerprint and fingerprint.upper() != public_key_fingerprint:
|
||||
raise VerificationException(_("The repository's fingerprint does not match."))
|
||||
|
||||
# load repository index from JSON
|
||||
index = json.loads(jar.read('index-v1.json').decode("utf-8"))
|
||||
index["repo"]["pubkey"] = hexlify(public_key).decode("utf-8")
|
||||
index, public_key, public_key_fingerprint = get_index_from_jar(fp.name, fingerprint)
|
||||
index["repo"]["pubkey"] = hexlify(public_key).decode()
|
||||
index["repo"]["fingerprint"] = public_key_fingerprint
|
||||
|
||||
# turn the apps into App objects
|
||||
index["apps"] = [metadata.App(app) for app in index["apps"]]
|
||||
|
||||
return index, new_etag
|
||||
|
||||
|
||||
def get_index_from_jar(jarfile, fingerprint=None):
|
||||
"""Returns the data, public key, and fingerprint from index-v1.jar
|
||||
|
||||
:raises: VerificationException() if the repository could not be verified
|
||||
"""
|
||||
|
||||
logging.debug(_('Verifying index signature:'))
|
||||
common.verify_jar_signature(jarfile)
|
||||
with zipfile.ZipFile(jarfile) as jar:
|
||||
public_key, public_key_fingerprint = get_public_key_from_jar(jar)
|
||||
if fingerprint is not None:
|
||||
if fingerprint.upper() != public_key_fingerprint:
|
||||
raise VerificationException(_("The repository's fingerprint does not match."))
|
||||
data = json.loads(jar.read('index-v1.json').decode())
|
||||
return data, public_key, public_key_fingerprint
|
||||
|
||||
|
||||
def get_public_key_from_jar(jar):
|
||||
"""
|
||||
Get the public key and its fingerprint from a JAR file.
|
||||
|
@ -31,6 +31,7 @@ import shutil
|
||||
|
||||
from . import _
|
||||
from . import common
|
||||
from . import index
|
||||
from .exception import FDroidException
|
||||
|
||||
config = None
|
||||
@ -478,9 +479,14 @@ def upload_to_virustotal(repo_section, vt_apikey):
|
||||
if repo_section == 'repo':
|
||||
if not os.path.exists('virustotal'):
|
||||
os.mkdir('virustotal')
|
||||
|
||||
if os.path.exists(os.path.join(repo_section, 'index-v1.json')):
|
||||
with open(os.path.join(repo_section, 'index-v1.json')) as fp:
|
||||
index = json.load(fp)
|
||||
for packageName, packages in index['packages'].items():
|
||||
data = json.load(fp)
|
||||
else:
|
||||
data, _ignored, _ignored = index.get_index_from_jar(os.path.join(repo_section, 'index-v1.jar'))
|
||||
|
||||
for packageName, packages in data['packages'].items():
|
||||
for package in packages:
|
||||
outputfilename = os.path.join('virustotal',
|
||||
packageName + '_' + str(package.get('versionCode'))
|
||||
|
Loading…
Reference in New Issue
Block a user