downloader.rb: verify gems

* tool/downloader.rb (RubyGems.download): verify downloaded gem packages. LowSecurity to allow untrusted certificates now. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49251 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2025-08-23 13:04:13 +02:00 · 2015-01-14 07:45:28 +00:00 · 2015-01-14 07:45:28 +00:00 · a9e033b104
commit a9e033b104
parent 095886b572
2 changed files with 29 additions and 2 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Wed Jan 14 16:45:24 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* tool/downloader.rb (RubyGems.download): verify downloaded gem
+	  packages.  LowSecurity to allow untrusted certificates now.
+
 Wed Jan 14 15:43:48 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>

 	* ext/readline/readline.c (readline_s_refresh_line): initialize
--- a/tool/downloader.rb
+++ b/tool/downloader.rb
@ -38,11 +38,29 @@ class Downloader

  class RubyGems < self
    def self.download(name, dir = nil, ims = true, options = {})
+      require 'rubygems'
+      require 'rubygems/package'
      options[:ssl_ca_cert] = Dir.glob(File.expand_path("../lib/rubygems/ssl_certs/*.pem", File.dirname(__FILE__)))
      if $rubygems_schema != 'https'
        warn "*** using http instead of https ***"
      end
-      super("#{$rubygems_schema}://rubygems.org/downloads/#{name}", name, dir, ims, options)
+      file = under(dir, name)
+      super("#{$rubygems_schema}://rubygems.org/downloads/#{name}", file, nil, ims, options) or
+        return false
+      pkg = Gem::Package.new(file)
+      pkg.security_policy = Gem::Security::LowSecurity
+      begin
+        pkg.verify
+      rescue Gem::Security::Exception => e
+        $stderr.puts e.message
+        File.unlink(file)
+        false
+      else
+        true
+      end
+    end
+
+    def self.verify(pkg)
    end
  end

@ -86,7 +104,7 @@ class Downloader
  #   download 'http://www.unicode.org/Public/UCD/latest/ucd/UnicodeData.txt',
  #            'UnicodeData.txt', 'enc/unicode/data'
  def self.download(url, name, dir = nil, ims = true, options = {})
-    file = dir ? File.join(dir, File.basename(name)) : name
+    file = under(dir, name)
    if ims.nil? and File.exist?(file)
      if $VERBOSE
        $stdout.puts "#{name} already exists"
@ -141,6 +159,10 @@ class Downloader
  rescue => e
    raise "failed to download #{name}\n#{e.message}: #{url}"
  end
+
+  def self.under(dir, name)
+    dir ? File.join(dir, File.basename(name)) : name
+  end
 end

 if $0 == __FILE__