<feed xmlns='http://www.w3.org/2005/Atom'>
<title>apt/test/integration/test-apt-update-nofallback, branch main</title>
<subtitle>Debians commandline package manager</subtitle>
<id>https://git.kalnischkies.de/apt/atom?h=main</id>
<link rel='self' href='https://git.kalnischkies.de/apt/atom?h=main'/>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/'/>
<updated>2025-03-04T10:07:51Z</updated>
<entry>
<title>Replace "GPG error" with "OpenPGP signature verification failed"</title>
<updated>2025-03-04T10:07:51Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-03-04T10:07:14Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=991eb5025a35155e57005b2e2be38f66ec5dd1a4'/>
<id>urn:sha1:991eb5025a35155e57005b2e2be38f66ec5dd1a4</id>
<content type='text'>
Reported-by: cacin on irc
</content>
</entry>
<entry>
<title>Grep for more evil in test as a signature can contain evil</title>
<updated>2025-01-17T01:09:05Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2025-01-17T01:09:05Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=9bd81ac3c85d8c9fee01d0ecfc681841aa89e6eb'/>
<id>urn:sha1:9bd81ac3c85d8c9fee01d0ecfc681841aa89e6eb</id>
<content type='text'>
The test was failing for me as the PGP signature contained "GeviljGB"
which is clearly not the evil we are looking for. Sadly, reproducing
this is hard, but random failures of the test suite are annoying, so
lets grep for a bit longer strings that can't happen in the signature
block to avoid this particular problem.
</content>
</entry>
<entry>
<title>test: Check "${METHODSDIR}/sqv" not "/usr/bin/sqv"</title>
<updated>2025-01-01T21:27:31Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-01-01T21:20:25Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=12a3dfe6b86ca01ac2d643086b8f30e5b9189290'/>
<id>urn:sha1:12a3dfe6b86ca01ac2d643086b8f30e5b9189290</id>
<content type='text'>
This is the correct check to find out whether we have built
with sqv support.
</content>
</entry>
<entry>
<title>methods: Add new sqv method</title>
<updated>2024-12-22T22:51:22Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2024-12-07T15:44:18Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf'/>
<id>urn:sha1:da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf</id>
<content type='text'>
The new sqv method uses sequoia's sqv tool to verify files. The
tool's interface is quite simple: It returns 0 on success, and
prints one line per good signer with the fingerprint.

sqv has a configurable crypto policy. We have defined apt-specific
override mechanisms for sequoia's standard policy, allowing both
users, distributions, and apt package to provide overrides for
Sequoia's default policy in meaningful ways.

The sqv method will be built and be the standard method for
verifying OpenPGP signatures provided that `sqv` is in the
PATH during building. It is not built if there was no sqv
at build time, so you need a rebuild to enable sqv later
on.

On the flip side, the gpgv method is always built, but it
does need to be always built: If APT::Key::GPGVCommand is
set, we need to fallback to it - this is important to
support existing users of that interface such as
mmdebstrap. Also we want to fall back to it when /usr/bin/sqv
disappears - for example in our CI :D

A couple of concessions have been made for test suite purposes:

- Failure to split a clearsigned file only shows the summary,
  as the gpgv method also only showed it, and no details why
  it failed.
- We write "Got GOODSIG &lt;fingerprint&gt;" in debug mode to mimic
  the gpgv code to keep the test suite happy.

- In various places in the test suite we assert minimal output
  from sqv, but sqv's human output is not intended to be stable.
  This will incur additional work when it breaks. However we do
  not _parse_ the output, so actual operation of apt is unaffected.

A couple of things are suboptimal here:

- We are still doing clearsigned splitting ourselves. sqv only
  has support for detached signatures right now, whereas sqopv
  has support for clearsigned files as well (but sqopv does not
  provide any reasons for why signature verification fails or
  means to set a policy).

- Deprecation of algorithms happens on a timebomb basis in
  sequoia. We have no means to give users warnings ahead of
  time if their configuration is outdated.

We have implemented various bits that probably should be going away:

- Fallback to trusted.gpg
  This is just annoying...
- Support for fingerprints in Signed-By (no subkey matching though)
  The extra work here is arguably less compared to gpgv.
- Check the keyring for correctness.
  With Signed-By everywhere, we should just error out rather than
  skip broken keyrings.

Moo
</content>
</entry>
<entry>
<title>Avoid dealing with a fake dpkg stanza in the tests</title>
<updated>2022-09-02T14:55:45Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2022-08-31T19:49:33Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=3498fbedafbf30e5c91deeaefa6a60d1e387593a'/>
<id>urn:sha1:3498fbedafbf30e5c91deeaefa6a60d1e387593a</id>
<content type='text'>
We needed a fake dpkg in our status file for dpkg --assert-multi-arch to
work in the past, but recent dpkg versions do not require this anymore,
so we can remove this somewhat surprising hackery in favour of better
hidden hackery we only use if we work with an older dpkg (e.g. on
current Debian stable).
</content>
</entry>
<entry>
<title>Read and work with canonical file-URIs from sources.lists</title>
<updated>2021-09-13T14:08:52Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2021-09-12T14:08:52Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=2b0369a5d1673d9e40f2af4db7677b040a26ee58'/>
<id>urn:sha1:2b0369a5d1673d9e40f2af4db7677b040a26ee58</id>
<content type='text'>
We allow file (and other file-based methods) URIs to either be given
as file:///path or as file:/path, but in various places of the acquire
system we perform string comparisons on URIs which do not handle this
expecting the canonical representation produced by our URI code.

That used to be hidden by us quoting and dequoting the URIs in the
system, but as we don't do this anymore we have to be a bit more careful
on input.

Ideally we would do less of these comparisons, but for now lets be
content with inserting a canonicalisation early on to prevent hangs in
the acquire system.
</content>
</entry>
<entry>
<title>if insecure repo is allowed continue on all http errors</title>
<updated>2017-12-13T22:51:57Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2017-11-22T12:42:31Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=197c53951430bcb267ddd6e398439a8a5d9a83ad'/>
<id>urn:sha1:197c53951430bcb267ddd6e398439a8a5d9a83ad</id>
<content type='text'>
If a InRelease file fails to download with a non-404 error
we assumed there is some general problem with repository like
a webportal or your are blocked from access (wrong auth, Tor, …).

Turns out some server like S3 return 403 if a file doesn't exist.
Allowing this in general seems like a step backwards as 403 is a
reasonable response if auth failed, so failing here seems better
than letting those users run into problems.

What we can do is show our insecure warnings through and allow the
failures for insecure repos: If the repo is signed it is easy to add
an InRelease file and if not you are setup for trouble anyhow.

References: cbbf185c3c55effe47f218a07e7b1f324973a8a6
</content>
</entry>
<entry>
<title>test: Always install dpkg into our tests, regardless of MA</title>
<updated>2016-09-07T12:00:38Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2016-09-07T11:35:40Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=561a3557e7fa6c4ed693c3bb486d189a468a8080'/>
<id>urn:sha1:561a3557e7fa6c4ed693c3bb486d189a468a8080</id>
<content type='text'>
Even if we only configure a single architecture, install dpkg, so
dpkg can assert multi arch correctly. This also has the nice side
effect of making single architecture and multiple architecture
test cases more uniform.

This fixes a regression from f878d3a862128bc1385616751ae1d78246b1bd01
("test: Assert multi-arch in the chroot").
</content>
</entry>
<entry>
<title>add insecure (and weak) allow-options for sources.list</title>
<updated>2016-06-22T12:05:01Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2016-06-20T18:50:43Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=d03b947b0ce4f87d7d5cc48d4d274ab3bd0b289a'/>
<id>urn:sha1:d03b947b0ce4f87d7d5cc48d4d274ab3bd0b289a</id>
<content type='text'>
Weak had no dedicated option before and Insecure and Downgrade were both
global options, which given the effect they all have on security is
rather bad. Setting them for individual repositories only isn't great
but at least slightly better and also more consistent with other
settings for repositories.
</content>
</entry>
<entry>
<title>generalize secure-&gt;insecure downgrade protection</title>
<updated>2016-06-22T12:05:01Z</updated>
<author>
<name>David Kalnischkies</name>
<email>david@kalnischkies.de</email>
</author>
<published>2016-03-18T11:50:02Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=b1bdfe682054ea6fc202416968c5342d59b403b1'/>
<id>urn:sha1:b1bdfe682054ea6fc202416968c5342d59b403b1</id>
<content type='text'>
Handling the extra check (and force requirement) for downgrades in
security in our AllowInsecureRepositories checker helps in having this
check everywhere instead of just in the most common place and requiring
a little extra force in such cases is always good.
</content>
</entry>
</feed>
