verify_deprecated_jar_signature(): use temp dir instead of $PWD/.java.security

2025-11-05 06:50:29 +03:00 · 2022-11-10 19:16:02 +01:00 · 2022-11-10 19:16:02 +01:00 · e58637374c
commit e58637374c
parent 88995f71d3
1 changed files with 18 additions and 23 deletions
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -3445,17 +3445,16 @@ def verify_deprecated_jar_signature(jar):
    """
    error = _('JAR signature failed to verify: {path}').format(path=jar)
-    _java_security = os.path.join(os.getcwd(), '.java.security')
+    with tempfile.TemporaryDirectory() as tmpdir:
-    if os.path.exists(_java_security):
+        java_security = os.path.join(tmpdir, 'java.security')
-        os.remove(_java_security)
+        with open(java_security, 'w') as fp:
    with open(_java_security, 'w') as fp:
            fp.write('jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024')
-    os.chmod(_java_security, 0o400)
+        os.chmod(java_security, 0o400)
        try:
            cmd = [
                config['jarsigner'],
-            '-J-Djava.security.properties=' + _java_security,
+                '-J-Djava.security.properties=' + java_security,
                '-strict', '-verify', jar
            ]
            output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
@ -3465,10 +3464,6 @@ def verify_deprecated_jar_signature(jar):
                logging.debug(_('JAR signature verified: {path}').format(path=jar))
            else:
                raise VerificationException(error + '\n' + e.output.decode('utf-8')) from e
    finally:
        if os.path.exists(_java_security):
            os.chmod(_java_security, 0o600)
            os.remove(_java_security)
 def verify_apk_signature(apk, min_sdk_version=None):