[PATCH setup draft 4/4] If signature validation is turned off, check 'release:' tag

Mon Dec 11 21:41:00 GMT 2017

If we aren't doing signature validation, look instead for "release:
cygwin" in the setup.ini files.  If this fails for an official mirror,
reject the mirror.  If it fails for a purported private mirror,
silently change the status of the site to "user site" and put a note
in the log file.  This change will take effect on the next setup run
or if the user selects 'Back'.
---
 ini.cc     | 29 ++++++++++++++++++++++++-----
 res.rc     |  1 +
 resource.h |  1 +
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/ini.cc b/ini.cc
index 62b7e83..3cffa82 100644
--- a/ini.cc
+++ b/ini.cc
@@ -271,11 +271,15 @@ do_local_ini (HWND owner)
 }
 
 static void
-mirror_warn (site_list_type site)
+mirror_warn (site_list_type site, bool sig)
 {
-  Log (LOG_BABBLE) << "Signature validation failed for " << site.url
-		   << " using the cygwin key but succeeded using other keys.  "
-		   << endLog;
+  if (sig)
+    Log (LOG_BABBLE) << "Signature validation failed for " << site.url
+		     << " using the cygwin key but succeeded using other keys.  "
+		     << endLog;
+  else
+    Log (LOG_BABBLE) << "setup.ini from " << site.url
+		     << " is not from the cygwin release." << endLog;
   Log (LOG_BABBLE) << "Changing status from 'mirror' to 'user site'." << endLog;
   SiteList::iterator i = find (all_site_list.begin (), all_site_list.end (), site);
   if (i != all_site_list.end ())
@@ -343,7 +347,7 @@ do_remote_ini (HWND owner)
 	  if (ini_file)
 	    {
 	      if (n->is_mirror && !main_key_only)
-		mirror_warn (*n);
+		mirror_warn (*n, true);
 	      break;
 	    }
 	}
@@ -369,6 +373,21 @@ do_remote_ini (HWND owner)
 	    }
 	  else
 	    {
+	      if (NoVerifyOption && n->is_mirror && aBuilder.release != "cygwin")
+		{
+		  if (n->from_mirrors_lst)
+		    {
+		      // Reject setup.ini.
+		      note (owner, IDS_SETUPINI_NOTCYGWIN,
+			    SetupBaseName.c_str (), n->url.c_str ());
+		      delete ini_file;
+		      ini_file = NULL;
+		      continue;
+		    }
+		  else
+		    mirror_warn (*n, false);
+		}
+
 	      /* save known-good setup.ini locally */
 	      const std::string fp = "file://" + local_dir + "/" +
 				      rfc1738_escape_part (n->url) +
diff --git a/res.rc b/res.rc
index 14f1109..cd202e0 100644
--- a/res.rc
+++ b/res.rc
@@ -562,6 +562,7 @@ BEGIN
     IDS_MIRROR_LST          "http://cygwin.com/mirrors.lst"
     IDS_ERR_OPEN_WRITE      "Can't open %s for writing: %s"
     IDS_SETUPINI_MISSING    "Unable to get %s from <%s>"
+    IDS_SETUPINI_NOTCYGWIN  "%s from <%s> is not from cygwin release"
     IDS_OLD_SETUPINI        "This setup.ini is older than the one you used last time you installed cygwin.  Proceed anyway?"
     IDS_NOTHING_INSTALLED   "Nothing needed to be installed"
     IDS_INSTALL_COMPLETE    "Installation Complete"
diff --git a/resource.h b/resource.h
index 79575fb..666e93b 100644
--- a/resource.h
+++ b/resource.h
@@ -39,6 +39,7 @@
 #define IDS_ELEVATED			  139
 #define IDS_INSTALLEDB_VERSION            140
 #define IDS_DOWNLOAD_INCOMPLETE_EXIT      141
+#define IDS_SETUPINI_NOTCYGWIN            142
 
 // Dialogs
 
-- 
2.15.1

