kamp/fdroidserver
1
0
Fork 0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-10-01 00:30:13 +02:00
Code Activity

Merge branch 'fix-virustotal-from-mirror' into 'master'

Browse Source 
Fix virustotal from mirror

See merge request fdroid/fdroidserver!604
This commit is contained in:
Hans-Christoph Steiner 2019-01-03 19:26:01 +00:00
commit 9c900ed63c
2 changed files with 34 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
fdroidserver/index.py
View File

@ -687,15 +687,18 @@ def get_mirror_service_urls(url):
def download_repo_index(url_str, etag=None, verify_fingerprint=True):
"""
Downloads the repository index from the given :param url_str
and verifies the repository's fingerprint if :param verify_fingerprint is not False.
"""Downloads and verifies index file, then returns its data.
Downloads the repository index from the given :param url_str and
verifies the repository's fingerprint if :param verify_fingerprint
is not False.
:raises: VerificationException() if the repository could not be verified
:return: A tuple consisting of:
- The index in JSON format or None if the index did not change
- The new eTag as returned by the HTTP request
"""
url = urllib.parse.urlsplit(url_str)
@ -713,32 +716,31 @@ def download_repo_index(url_str, etag=None, verify_fingerprint=True):
return None, new_etag
with tempfile.NamedTemporaryFile() as fp:
# write and open JAR file
fp.write(download)
jar = zipfile.ZipFile(fp)
# verify that the JAR signature is valid
logging.debug(_('Verifying index signature:'))
common.verify_jar_signature(fp.name)
# get public key and its fingerprint from JAR
public_key, public_key_fingerprint = get_public_key_from_jar(jar)
# compare the fingerprint if verify_fingerprint is True
if verify_fingerprint and fingerprint.upper() != public_key_fingerprint:
raise VerificationException(_("The repository's fingerprint does not match."))
# load repository index from JSON
index = json.loads(jar.read('index-v1.json').decode("utf-8"))
index["repo"]["pubkey"] = hexlify(public_key).decode("utf-8")
index, public_key, public_key_fingerprint = get_index_from_jar(fp.name, fingerprint)
index["repo"]["pubkey"] = hexlify(public_key).decode()
index["repo"]["fingerprint"] = public_key_fingerprint
# turn the apps into App objects
index["apps"] = [metadata.App(app) for app in index["apps"]]
return index, new_etag
def get_index_from_jar(jarfile, fingerprint=None):
"""Returns the data, public key, and fingerprint from index-v1.jar
:raises: VerificationException() if the repository could not be verified
"""
logging.debug(_('Verifying index signature:'))
common.verify_jar_signature(jarfile)
with zipfile.ZipFile(jarfile) as jar:
public_key, public_key_fingerprint = get_public_key_from_jar(jar)
if fingerprint is not None:
if fingerprint.upper() != public_key_fingerprint:
raise VerificationException(_("The repository's fingerprint does not match."))
data = json.loads(jar.read('index-v1.json').decode())
return data, public_key, public_key_fingerprint
def get_public_key_from_jar(jar):
"""
Get the public key and its fingerprint from a JAR file.

10
fdroidserver/server.py
View File

@ -31,6 +31,7 @@ import shutil
from . import _
from . import common
from . import index
from .exception import FDroidException
config = None
@ -478,9 +479,14 @@ def upload_to_virustotal(repo_section, vt_apikey):
if repo_section == 'repo':
if not os.path.exists('virustotal'):
os.mkdir('virustotal')
if os.path.exists(os.path.join(repo_section, 'index-v1.json')):
with open(os.path.join(repo_section, 'index-v1.json')) as fp:
index = json.load(fp)
for packageName, packages in index['packages'].items():
data = json.load(fp)
else:
data, _ignored, _ignored = index.get_index_from_jar(os.path.join(repo_section, 'index-v1.jar'))
for packageName, packages in data['packages'].items():
for package in packages:
outputfilename = os.path.join('virustotal',
packageName + '_' + str(package.get('versionCode'))