From cc1e10a37ae16b849f3e64ad126dcd7264ce8188 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 3 May 2018 13:46:36 +0200 Subject: [PATCH 1/1] delete .java.security after checking MD5 signatures This file is written freshly each time before use, so it does not need to be ekpt around. It was the only file making the fdroiddata.git repo dirty on the f-droid.org infrastructure. This also adds stricter file permissions to avoid an attacker changing those settings during operation. --- fdroidserver/common.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/fdroidserver/common.py b/fdroidserver/common.py index ca50ceea..68b7e79e 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -2665,12 +2665,20 @@ def verify_old_apk_signature(apk): jarsigner passes unsigned APKs as "verified"! So this has to turn on -strict then check for result 4. + Just to be safe, this never reuses the file, and locks down the + file permissions while in use. That should prevent a bad actor + from changing the settings during operation. + :returns: boolean whether the APK was verified + """ _java_security = os.path.join(os.getcwd(), '.java.security') + if os.path.exists(_java_security): + os.remove(_java_security) with open(_java_security, 'w') as fp: fp.write('jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024') + os.chmod(_java_security, 0o400) try: cmd = [ @@ -2685,6 +2693,10 @@ def verify_old_apk_signature(apk): else: logging.debug(_('JAR signature verified: {path}').format(path=apk)) return True + finally: + if os.path.exists(_java_security): + os.chmod(_java_security, 0o600) + os.remove(_java_security) logging.error(_('Old APK signature failed to verify: {path}').format(path=apk) + '\n' + output.decode('utf-8')) -- 2.30.2