- if (!i->sha256sums_job)
- return 0;
-
- assert(i->raw_job->state == IMPORT_JOB_DONE);
- assert(i->raw_job->sha256);
-
- assert(i->sha256sums_job->state == IMPORT_JOB_DONE);
- assert(i->sha256sums_job->payload);
- assert(i->sha256sums_job->payload_size > 0);
-
- r = import_url_last_component(i->raw_job->url, &fn);
- if (r < 0)
- return log_oom();
-
- if (!filename_is_valid(fn)) {
- log_error("Cannot verify checksum, could not determine valid server-side file name.");
- return -EBADMSG;
- }
-
- line = strappenda(i->raw_job->sha256, " *", fn, "\n");
-
- p = memmem(i->sha256sums_job->payload,
- i->sha256sums_job->payload_size,
- line,
- strlen(line));
-
- if (!p || (p != (char*) i->sha256sums_job->payload && p[-1] != '\n')) {
- log_error("Checksum did not check out, payload has been tempered with.");
- return -EBADMSG;
- }
-
- log_info("SHA256 checksum of %s is valid.", i->raw_job->url);
-
- if (!i->signature_job)
- return 0;
-
- assert(i->signature_job->state == IMPORT_JOB_DONE);
- assert(i->signature_job->payload);
- assert(i->signature_job->payload_size > 0);
-
- r = pipe2(gpg_pipe, O_CLOEXEC);
- if (r < 0)
- return log_error_errno(errno, "Failed to create pipe: %m");
-
- sig_file = mkostemp(sig_file_path, O_RDWR);
- if (sig_file < 0)
- return log_error_errno(errno, "Failed to create temporary file: %m");
-
- r = loop_write(sig_file, i->signature_job->payload, i->signature_job->payload_size, false);
- if (r < 0) {
- log_error_errno(r, "Failed to write to temporary file: %m");
- goto finish;
- }
-
- pid = fork();
- if (pid < 0)
- return log_error_errno(errno, "Failed to fork off gpg: %m");
- if (pid == 0) {
- const char *cmd[] = {
- "gpg",
- "--no-options",
- "--no-default-keyring",
- "--no-auto-key-locate",
- "--no-auto-check-trustdb",
- "--batch",
- "--trust-model=always",
- "--keyring=" VENDOR_KEYRING_PATH,
- NULL, /* maybe user keyring */
- NULL, /* --verify */
- NULL, /* signature file */
- NULL, /* dash */
- NULL /* trailing NULL */
- };
- unsigned k = ELEMENTSOF(cmd) - 5;
- int null_fd;
-
- /* Child */
-
- reset_all_signal_handlers();
- reset_signal_mask();
- assert_se(prctl(PR_SET_PDEATHSIG, SIGTERM) == 0);
-
- gpg_pipe[1] = safe_close(gpg_pipe[1]);
-
- if (dup2(gpg_pipe[0], STDIN_FILENO) != STDIN_FILENO) {
- log_error_errno(errno, "Failed to dup2() fd: %m");
- _exit(EXIT_FAILURE);
- }
-
- if (gpg_pipe[0] != STDIN_FILENO)
- gpg_pipe[0] = safe_close(gpg_pipe[0]);
-
- null_fd = open("/dev/null", O_WRONLY|O_NOCTTY);
- if (null_fd < 0) {
- log_error_errno(errno, "Failed to open /dev/null: %m");
- _exit(EXIT_FAILURE);
- }
-
- if (dup2(null_fd, STDOUT_FILENO) != STDOUT_FILENO) {
- log_error_errno(errno, "Failed to dup2() fd: %m");
- _exit(EXIT_FAILURE);
- }
-
- if (null_fd != STDOUT_FILENO)
- null_fd = safe_close(null_fd);
-
- /* We add the user keyring only to the command line
- * arguments, if it's around since gpg fails
- * otherwise. */
- if (access(USER_KEYRING_PATH, F_OK) >= 0)
- cmd[k++] = "--keyring=" USER_KEYRING_PATH;