From: Hans-Christoph Steiner Date: Thu, 3 May 2018 11:46:36 +0000 (+0200) Subject: delete .java.security after checking MD5 signatures X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=cc1e10a37ae16b849f3e64ad126dcd7264ce8188;hp=03ad2578d4a826a9ef767f9d1ff4a32fe901e090;p=fdroidserver.git delete .java.security after checking MD5 signatures This file is written freshly each time before use, so it does not need to be ekpt around. It was the only file making the fdroiddata.git repo dirty on the f-droid.org infrastructure. This also adds stricter file permissions to avoid an attacker changing those settings during operation. --- diff --git a/fdroidserver/common.py b/fdroidserver/common.py index ca50ceea..68b7e79e 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -2665,12 +2665,20 @@ def verify_old_apk_signature(apk): jarsigner passes unsigned APKs as "verified"! So this has to turn on -strict then check for result 4. + Just to be safe, this never reuses the file, and locks down the + file permissions while in use. That should prevent a bad actor + from changing the settings during operation. + :returns: boolean whether the APK was verified + """ _java_security = os.path.join(os.getcwd(), '.java.security') + if os.path.exists(_java_security): + os.remove(_java_security) with open(_java_security, 'w') as fp: fp.write('jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024') + os.chmod(_java_security, 0o400) try: cmd = [ @@ -2685,6 +2693,10 @@ def verify_old_apk_signature(apk): else: logging.debug(_('JAR signature verified: {path}').format(path=apk)) return True + finally: + if os.path.exists(_java_security): + os.chmod(_java_security, 0o600) + os.remove(_java_security) logging.error(_('Old APK signature failed to verify: {path}').format(path=apk) + '\n' + output.decode('utf-8'))