Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.4.1 2022-03-07T13:06:40Z 2022-03-07T13:06:40Z Julian Andres Klode jak@debian.org 2022-03-07T13:06:40Z urn:sha1:ba08336ba208556de89f945aefc7b83f0f713c93 2022-03-07T13:00:07Z Julian Andres Klode jak@debian.org 2022-03-07T13:00:07Z urn:sha1:3e57dc07fac417ff7007745510f0b35715045f70 gpgv: Fix legacy fallback on unavailable keys See merge request apt-team/apt!228 2022-03-07T12:04:23Z Julian Andres Klode jak@debian.org 2022-03-07T12:03:24Z urn:sha1:55452afa1e8eb3b252f76e455b49df5883e0b811 Change the logic to use "Valid" instead of "Good" to determine whether we need to fallback and if fallback was successful. That means that if you have an expired key in trusted.gpg.d, and a non-expired in trusted.gpg, verification will now fail directly with the expired key in trusted.gpg.d and not try to fallback. Likewise, if the key in trusted.gpg is expired, this will now also be reported correctly again, instead of producing an error message that the key could not be found. 2022-03-07T10:53:27Z Julian Andres Klode jak@debian.org 2022-03-07T10:53:27Z urn:sha1:ee427f308600a4a3a6f67a4a7835e1172605ba06 If a repository is signed with multiple keys, apt 2.4.0 would ignore the fallback result if some keys were still missing, causing signature verification to fail. Rework the logic such that when checking if fallback was "succesful", missing keys are ignored - it only matters if we managed to verify one key now, whether good or bad. Likewise, simplify the logic when to do the fallback: If there was a bad signature in trusted.gpg.d, do NOT fallback at all - this is a minor security issue, as a key in trusted.gpg.d could fail silently with a bad signature, and then a key in trusted.gpg might allow the signature to succeed (as trusted.gpg.d key is then missing). Only fallback if we are missing a good signature, and there are keys we have not yet checked. 2022-03-04T13:38:42Z Julian Andres Klode jak@debian.org 2022-03-04T13:38:42Z urn:sha1:d9ceab20a05e0d02ecd1038161965a7eaf8e4c06 Document the APT::Periodic interval suffixes and "always" value See merge request apt-team/apt!227 2022-03-02T10:27:17Z Paul Wise pabs@debian.org 2022-03-01T00:28:39Z urn:sha1:c6f016200291e7e719f15de4f9a6ad9596c5110b Without documentation these options will see much less use. Fixes: commit 1d9e29c9e2a5591b42a99a721b901fc003ed9149 Suggested-by: kibi on #debian-devel 2022-02-22T19:01:41Z Julian Andres Klode jak@debian.org 2022-02-22T19:01:41Z urn:sha1:409ee5821500f140896715a516ec8ffa008de789 2022-02-22T18:02:28Z Julian Andres Klode jak@debian.org 2022-02-22T18:02:28Z urn:sha1:9ee8797408f0973d71110f9f93c21ad17b6b3a6a Warn if the legacy trusted.gpg keyring is used for verification See merge request apt-team/apt!209 2022-02-22T17:25:06Z Julian Andres Klode jak@debian.org 2022-01-07T11:43:32Z urn:sha1:56adf743b02b80a9acc9a2e480bfd15acb94f755 With apt-key going away, people need to manage key files, rather than keys, so they need to know if any keys are in the legacy keyring. 2022-02-22T17:25:06Z Julian Andres Klode jak@debian.org 2022-02-22T16:45:08Z urn:sha1:9aee35d1acafde2e443741160d13d365345383ab