From c3bf1893e3ac66149e5c400dadae62478e57fb18 Mon Sep 17 00:00:00 2001
From: Jiri Moskovcak <jmoskovc@redhat.com>
Date: Thu, 28 Jan 2010 14:40:24 +0100
Subject: reenabled gpg check

- we still just check only the signature of the package,
  which doesn't tell us if the files on the disk weren't
  changed, but will at least filter not official packages
---
 src/Daemon/MiddleWare.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/Daemon/MiddleWare.cpp')

diff --git a/src/Daemon/MiddleWare.cpp b/src/Daemon/MiddleWare.cpp
index 01c3850b..ba7e0a05 100644
--- a/src/Daemon/MiddleWare.cpp
+++ b/src/Daemon/MiddleWare.cpp
@@ -655,6 +655,12 @@ static mw_result_t SavePackageDescriptionToDebugDump(
                 log("Package '%s' isn't signed with proper key", packageName.c_str());
                 return MW_GPG_ERROR;
             }
+            /*
+              Checking the MD5 sum requires to run prelink to "un-prelink" the
+              binaries - this is considered potential security risk so we don't
+              use it, until we find some non-intrusive way
+            */
+            /*
             if (!CheckHash(packageName.c_str(), pExecutable))
             {
                 error_msg("Executable '%s' seems to be modified, "
@@ -662,6 +668,7 @@ static mw_result_t SavePackageDescriptionToDebugDump(
                                 pExecutable, packageName.c_str());
                 return MW_GPG_ERROR;
             }
+            */
         }
     }
 
-- 
cgit