mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-09-17 18:50:11 +02:00
delete .java.security after checking MD5 signatures
This file is written freshly each time before use, so it does not need to be ekpt around. It was the only file making the fdroiddata.git repo dirty on the f-droid.org infrastructure. This also adds stricter file permissions to avoid an attacker changing those settings during operation.
This commit is contained in:
parent
03ad2578d4
commit
cc1e10a37a
@ -2665,12 +2665,20 @@ def verify_old_apk_signature(apk):
|
|||||||
jarsigner passes unsigned APKs as "verified"! So this has to turn
|
jarsigner passes unsigned APKs as "verified"! So this has to turn
|
||||||
on -strict then check for result 4.
|
on -strict then check for result 4.
|
||||||
|
|
||||||
|
Just to be safe, this never reuses the file, and locks down the
|
||||||
|
file permissions while in use. That should prevent a bad actor
|
||||||
|
from changing the settings during operation.
|
||||||
|
|
||||||
:returns: boolean whether the APK was verified
|
:returns: boolean whether the APK was verified
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
_java_security = os.path.join(os.getcwd(), '.java.security')
|
_java_security = os.path.join(os.getcwd(), '.java.security')
|
||||||
|
if os.path.exists(_java_security):
|
||||||
|
os.remove(_java_security)
|
||||||
with open(_java_security, 'w') as fp:
|
with open(_java_security, 'w') as fp:
|
||||||
fp.write('jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024')
|
fp.write('jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024')
|
||||||
|
os.chmod(_java_security, 0o400)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
cmd = [
|
cmd = [
|
||||||
@ -2685,6 +2693,10 @@ def verify_old_apk_signature(apk):
|
|||||||
else:
|
else:
|
||||||
logging.debug(_('JAR signature verified: {path}').format(path=apk))
|
logging.debug(_('JAR signature verified: {path}').format(path=apk))
|
||||||
return True
|
return True
|
||||||
|
finally:
|
||||||
|
if os.path.exists(_java_security):
|
||||||
|
os.chmod(_java_security, 0o600)
|
||||||
|
os.remove(_java_security)
|
||||||
|
|
||||||
logging.error(_('Old APK signature failed to verify: {path}').format(path=apk)
|
logging.error(_('Old APK signature failed to verify: {path}').format(path=apk)
|
||||||
+ '\n' + output.decode('utf-8'))
|
+ '\n' + output.decode('utf-8'))
|
||||||
|
Loading…
Reference in New Issue
Block a user