signing: verify and generate identity

fixes verification of non-repository packages while installing
them. this is final thing needed for full signing support
(fixes #46).

3 files changed, 9 insertions, 2 deletions

diff --git a/src/add.c b/src/add.c
index 0b402fe..03fc96a 100644
--- a/src/add.c
+++ b/src/add.c
@@ -128,8 +128,8 @@ static int add_main(void *ctx, int argc, char **argv)
 				goto err;
 			}
 
-			/* FIXME: should verify the package too */
-			apk_sign_ctx_init(&sctx, APK_SIGN_GENERATE, NULL);
+			apk_sign_ctx_init(&sctx, APK_SIGN_VERIFY_AND_GENERATE,
+					  NULL);
 			r = apk_pkg_read(&db, argv[i], &sctx, &pkg);
 			apk_sign_ctx_free(&sctx);
 			if (r != 0) {
diff --git a/src/apk_package.h b/src/apk_package.h
index be7395f..96d7840 100644
--- a/src/apk_package.h
+++ b/src/apk_package.h
@@ -35,6 +35,7 @@ struct apk_name;
 #define APK_SIGN_VERIFY_IDENTITY	2
 #define APK_SIGN_GENERATE_V1		3
 #define APK_SIGN_GENERATE		4
+#define APK_SIGN_VERIFY_AND_GENERATE	5
 
 struct apk_sign_ctx {
 	int action;
diff --git a/src/package.c b/src/package.c
index 0ef1d59..1c9ff3d 100644
--- a/src/package.c
+++ b/src/package.c
@@ -311,6 +311,7 @@ void apk_sign_ctx_init(struct apk_sign_ctx *ctx, int action,
 		ctx->data_started = 1;
 		break;
 	case APK_SIGN_GENERATE:
+	case APK_SIGN_VERIFY_AND_GENERATE:
 	default:
 		action = APK_SIGN_GENERATE;
 		ctx->md = EVP_sha1();
@@ -466,6 +467,7 @@ int apk_sign_ctx_mpart_cb(void *ctx, int part, apk_blob_t data)
 
 	switch (sctx->action) {
 	case APK_SIGN_VERIFY:
+	case APK_SIGN_VERIFY_AND_GENERATE:
 		if (sctx->signature.pkey == NULL) {
 			if (apk_flags & APK_ALLOW_UNTRUSTED)
 				break;
@@ -502,6 +504,10 @@ int apk_sign_ctx_mpart_cb(void *ctx, int part, apk_blob_t data)
 			return -ECANCELED;
 		break;
 	}
+	if (sctx->action == APK_SIGN_VERIFY_AND_GENERATE) {
+		sctx->identity.type = EVP_MD_CTX_size(&sctx->mdctx);
+		EVP_DigestFinal_ex(&sctx->mdctx, sctx->identity.data, NULL);
+	}
 
 reset_digest:
 	EVP_DigestInit_ex(&sctx->mdctx, sctx->md, NULL);