From f318d062dd381d53e37dd6003ec9d7f3d9b91e07 Mon Sep 17 00:00:00 2001 From: Ansgar Burchardt Date: Fri, 12 Sep 2014 01:24:24 +0200 Subject: [PATCH] daklib/checks.py: check timestamp of .changes signature This allows to eventually drop old entries from the signature_history table. --- daklib/archive.py | 1 + daklib/checks.py | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/daklib/archive.py b/daklib/archive.py index 34350fec..b78a1cb4 100644 --- a/daklib/archive.py +++ b/daklib/archive.py @@ -902,6 +902,7 @@ class ArchiveUpload(object): # Validate signatures and hashes before we do any real work: for chk in ( checks.SignatureAndHashesCheck, + checks.SignatureTimestampCheck, checks.ChangesCheck, checks.ExternalHashesCheck, checks.SourceCheck, diff --git a/daklib/checks.py b/daklib/checks.py index c7c4a16f..f4127808 100644 --- a/daklib/checks.py +++ b/daklib/checks.py @@ -36,6 +36,7 @@ import daklib.upload import apt_inst import apt_pkg from apt_pkg import version_compare +import datetime import errno import os import subprocess @@ -167,6 +168,25 @@ class SignatureAndHashesCheck(Check): except daklib.upload.UploadException as e: raise Reject('{0}: {1}'.format(filename, unicode(e))) +class SignatureTimestampCheck(Check): + """Check timestamp of .changes signature""" + def check(self, upload): + changes = upload.changes + + now = datetime.datetime.utcnow() + timestamp = changes.signature_timestamp + age = now - timestamp + + age_max = datetime.timedelta(days=365) + age_min = datetime.timedelta(days=-7) + + if age > age_max: + raise Reject('{0}: Signature from {1} is too old (maximum age is {2} days)'.format(changes.filename, timestamp, age_max.days)) + if age < age_min: + raise Reject('{0}: Signature from {1} is too far in the future (tolerance is {2} days)'.format(changes.filename, timestamp, abs(age_min.days))) + + return True + class ChangesCheck(Check): """Check changes file for syntax errors.""" def check(self, upload): -- 2.39.5