diff options
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox')
-rw-r--r-- | bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java | 41 |
1 files changed, 31 insertions, 10 deletions
diff --git a/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java b/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java index 92aee7199..83aef67a9 100644 --- a/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java +++ b/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java @@ -96,6 +96,7 @@ public class CertificateChecker { private IStatus checkCertificates(SignedContentFactory verifierFactory) { UIServices serviceUI = agent.getService(UIServices.class); ArrayList<Certificate> untrustedCertificates = new ArrayList<>(); + Map<IArtifactDescriptor, Collection<Long>> untrustedPGPKeyIDArtifacts = new HashMap<>(); Map<IArtifactDescriptor, Collection<PGPPublicKey>> untrustedPGPArtifacts = new HashMap<>(); Map<IArtifactDescriptor, File> unsigned = new HashMap<>(); ArrayList<Certificate[]> untrustedChain = new ArrayList<>(); @@ -132,14 +133,26 @@ public class CertificateChecker { if (!signatures.isEmpty()) { if (trustedKeysIds.isEmpty() && !trustedKeys.get().isEmpty()) { trustedKeysIds.addAll(trustedKeys.get().all().stream() - .map(PGPPublicKey::getKeyID).map(Long::valueOf).collect(Collectors.toSet())); + .map(PGPPublicKey::getKeyID).collect(Collectors.toSet())); } - if (signatures.stream().map(PGPSignature::getKeyID).noneMatch(trustedKeysIds::contains)) { - untrustedPGPArtifacts.put(artifact.getKey(), - signatures.stream().map(PGPSignature::getKeyID) - .map(id -> findKey(id, artifact.getKey())) - .filter(Objects::nonNull) - .collect(Collectors.toList())); + Set<Long> untrustedKeyIds = signatures.stream().map(PGPSignature::getKeyID) + .collect(Collectors.toCollection(LinkedHashSet::new)); + // If any key is already trusted, then we don't need to prompt for any of the + // other keys. + if (!untrustedKeyIds.removeAll(trustedKeysIds)) { + untrustedPGPKeyIDArtifacts.put(artifact.getKey(), untrustedKeyIds); + List<PGPPublicKey> untrustedKeys = untrustedKeyIds.stream() + .map(id -> findKey(id, artifact.getKey())) + .filter(Objects::nonNull) + .collect(Collectors.toList()); + if (untrustedKeys.isEmpty()) { + // If no keys can be found for any of the signatures, treat the artifact like + // unsigned content because none of the signatures can actually be verified. + unsigned.put(artifact.getKey(), artifactFile); + } else { + // Otherwise, one of these keys needs to be trusted. + untrustedPGPArtifacts.put(artifact.getKey(), untrustedKeys); + } } } else { unsigned.put(artifact.getKey(), artifactFile); @@ -196,7 +209,15 @@ public class CertificateChecker { } String[] details = EngineActivator.UNSIGNED_ALLOW.equals(policy) || unsigned.isEmpty() ? null - : unsigned.values().stream().map(Object::toString).toArray(String[]::new); + : unsigned.entrySet().stream().map(entry -> { + String detail = entry.getValue().toString(); + Collection<Long> unknownIds = untrustedPGPKeyIDArtifacts.get(entry.getKey()); + if (unknownIds != null) { + return detail + unknownIds.stream().map(Objects::toString) + .collect(Collectors.joining(", ", " [", "]")); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ + } + return detail; + }).toArray(String[]::new); Certificate[][] unTrustedCertificateChains = untrustedCertificates.isEmpty() ? null : untrustedChain.toArray(Certificate[][]::new); // If there was no unsigned content, and nothing untrusted, no need to prompt. @@ -326,8 +347,8 @@ public class CertificateChecker { } // load from bundles providing capability for (IConfigurationElement extension : RegistryFactory.getRegistry() - .getConfigurationElementsFor(EngineActivator.ID + ".pgp")) { - if ("trustedKeys".equals(extension.getName())) { + .getConfigurationElementsFor(EngineActivator.ID + ".pgp")) { //$NON-NLS-1$ + if ("trustedKeys".equals(extension.getName())) { //$NON-NLS-1$ String pathInBundle = extension.getAttribute("path"); //$NON-NLS-1$ if (pathInBundle != null) { Stream.of(EngineActivator.getContext().getBundles()) |