]> git.decadent.org.uk Git - dak.git/commitdiff
projects / dak.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e3a60b6)
daklib/checks.py: check timestamp of .changes signature
authorAnsgar Burchardt <ansgar@debian.org>
Thu, 11 Sep 2014 23:24:24 +0000 (01:24 +0200)
committerAnsgar Burchardt <ansgar@debian.org>
Thu, 11 Sep 2014 23:24:24 +0000 (01:24 +0200)
This allows to eventually drop old entries from the signature_history
table.

daklib/archive.py patch | blob | history
daklib/checks.py patch | blob | history

diff --git a/daklib/archive.py b/daklib/archive.py
index 34350feccaf4d398f022651f98fc61f22905f968..b78a1cb4351fb7899b4f7bdf546fddaf03d394cd 100644 (file)
--- a/daklib/archive.py
+++ b/daklib/archive.py
@@ -902,6 +902,7 @@ class ArchiveUpload(object):
             # Validate signatures and hashes before we do any real work:
             for chk in (
                     checks.SignatureAndHashesCheck,
+                    checks.SignatureTimestampCheck,
                     checks.ChangesCheck,
                     checks.ExternalHashesCheck,
                     checks.SourceCheck,
diff --git a/daklib/checks.py b/daklib/checks.py
index c7c4a16f23f03c8b482df3f1ee07792f74008764..f4127808b5ac2a96baf903953d755c00ab4c1d8a 100644 (file)
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -36,6 +36,7 @@ import daklib.upload
 import apt_inst
 import apt_pkg
 from apt_pkg import version_compare
+import datetime
 import errno
 import os
 import subprocess
@@ -167,6 +168,25 @@ class SignatureAndHashesCheck(Check):
         except daklib.upload.UploadException as e:
             raise Reject('{0}: {1}'.format(filename, unicode(e)))
 
+class SignatureTimestampCheck(Check):
+    """Check timestamp of .changes signature"""
+    def check(self, upload):
+        changes = upload.changes
+
+        now = datetime.datetime.utcnow()
+        timestamp = changes.signature_timestamp
+        age = now - timestamp
+
+        age_max = datetime.timedelta(days=365)
+        age_min = datetime.timedelta(days=-7)
+
+        if age > age_max:
+            raise Reject('{0}: Signature from {1} is too old (maximum age is {2} days)'.format(changes.filename, timestamp, age_max.days))
+        if age < age_min:
+            raise Reject('{0}: Signature from {1} is too far in the future (tolerance is {2} days)'.format(changes.filename, timestamp, abs(age_min.days)))
+
+        return True
+
 class ChangesCheck(Check):
     """Check changes file for syntax errors."""
     def check(self, upload):
dak changes to support and test code signing