index: fix output file permissions, verify signed index (ref #46)

src/index.c

@@ -169,14 +169,14 @@ static int index_main(void *ctx, int argc, char **argv)
 	if (ictx->method == APK_SIGN_GENERATE) {
 		memset(&fi, 0, sizeof(fi));
 		fi.name = "APKINDEX";
-		fi.mode = 0755 | S_IFREG;
+		fi.mode = 0644 | S_IFREG;
 		os = apk_ostream_counter(&fi.size);
 		apk_db_index_write(&db, os);
 		os->close(os);
 	}
 
 	if (ictx->output != NULL)
-		os = apk_ostream_to_file(ictx->output, 0755);
+		os = apk_ostream_to_file(ictx->output, 0644);
 	else
 		os = apk_ostream_to_fd(STDOUT_FILENO);
 	if (ictx->method == APK_SIGN_GENERATE) {

src/package.c

@@ -391,13 +391,24 @@ int apk_sign_ctx_mpart_cb(void *ctx, EVP_MD_CTX *mdctx, int part)
 		break;
 	case APK_MPART_END:
 		if (sctx->action == APK_SIGN_VERIFY) {
-			/* Check that data checksum matches */
+			if (sctx->has_data_checksum) {
-			EVP_DigestFinal_ex(mdctx, calculated, NULL);
+				/* Check that data checksum matches */
-			if (sctx->has_data_checksum &&
+				EVP_DigestFinal_ex(mdctx, calculated, NULL);
-			    EVP_MD_CTX_size(mdctx) != 0 &&
+				if (EVP_MD_CTX_size(mdctx) != 0 &&
-			    memcmp(calculated, sctx->data_checksum,
+				    memcmp(calculated, sctx->data_checksum,
-				   EVP_MD_CTX_size(mdctx)) == 0)
+				           EVP_MD_CTX_size(mdctx)) == 0)
-				sctx->data_verified = 1;
+					sctx->data_verified = 1;
+			} else if (sctx->signature.pkey != NULL) {
+				/* Assume that the data is fully signed */
+				r = EVP_VerifyFinal(mdctx,
+					   (unsigned char *) sctx->signature.data.ptr,
+					   sctx->signature.data.len,
+					   sctx->signature.pkey);
+				if (r == 1) {
+					sctx->control_verified = 1;
+					sctx->data_verified = 1;
+				}
+			}
 		} else if (!sctx->has_data_checksum) {
 			/* Package identity is checksum of all data */
 			sctx->identity.type = EVP_MD_CTX_size(mdctx);