<feed xmlns='http://www.w3.org/2005/Atom'>
<title>apt/test/integration/test-releasefile-verification, branch main</title>
<subtitle>Debians commandline package manager</subtitle>
<id>https://git.kalnischkies.de/apt/atom?h=main</id>
<link rel='self' href='https://git.kalnischkies.de/apt/atom?h=main'/>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/'/>
<updated>2025-05-06T10:12:31Z</updated>
<entry>
<title>test: Do not use host's sequoia config</title>
<updated>2025-05-06T10:12:31Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-04-25T22:26:05Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=7994d1b3bdaaef1351872f13054d1ed9d645f65a'/>
<id>urn:sha1:7994d1b3bdaaef1351872f13054d1ed9d645f65a</id>
<content type='text'>
Make the test suite independent of the host sequoia config.
</content>
</entry>
<entry>
<title>test: Fix test-skipped regression in 3.0.1</title>
<updated>2025-05-06T10:12:31Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-04-25T22:23:22Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=3e261cb940955cadaff58e90a27af8dc882cb3b1'/>
<id>urn:sha1:3e261cb940955cadaff58e90a27af8dc882cb3b1</id>
<content type='text'>
There was an accidental exit in the if causing the test to exit
early, but the test suite still to pass.
</content>
</entry>
<entry>
<title>sqv: Warn about signatures that will be rejected by policy within a year</title>
<updated>2025-04-25T21:07:07Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-04-25T18:53:45Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=85c435f23718e168345ea60270b24a57061b54f4'/>
<id>urn:sha1:85c435f23718e168345ea60270b24a57061b54f4</id>
<content type='text'>
This implements a simple check where we first run `sqv` with
`--policy-as-of` 1 year in the future. If the file is validly
signed one year in the future, it is validly signed now.

If the file is not validly signed 1 year in the future, we check
if it is validly signed now, and otherwise print an error message.

The --policy-as-of feature was added in sqv 1.3.0, hence we add a
version requirement to the dependency.
</content>
</entry>
<entry>
<title>Replace "GPG error" with "OpenPGP signature verification failed"</title>
<updated>2025-03-04T10:07:51Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2025-03-04T10:07:14Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=991eb5025a35155e57005b2e2be38f66ec5dd1a4'/>
<id>urn:sha1:991eb5025a35155e57005b2e2be38f66ec5dd1a4</id>
<content type='text'>
Reported-by: cacin on irc
</content>
</entry>
<entry>
<title>methods: Add new sqv method</title>
<updated>2024-12-22T22:51:22Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>jak@debian.org</email>
</author>
<published>2024-12-07T15:44:18Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf'/>
<id>urn:sha1:da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf</id>
<content type='text'>
The new sqv method uses sequoia's sqv tool to verify files. The
tool's interface is quite simple: It returns 0 on success, and
prints one line per good signer with the fingerprint.

sqv has a configurable crypto policy. We have defined apt-specific
override mechanisms for sequoia's standard policy, allowing both
users, distributions, and apt package to provide overrides for
Sequoia's default policy in meaningful ways.

The sqv method will be built and be the standard method for
verifying OpenPGP signatures provided that `sqv` is in the
PATH during building. It is not built if there was no sqv
at build time, so you need a rebuild to enable sqv later
on.

On the flip side, the gpgv method is always built, but it
does need to be always built: If APT::Key::GPGVCommand is
set, we need to fallback to it - this is important to
support existing users of that interface such as
mmdebstrap. Also we want to fall back to it when /usr/bin/sqv
disappears - for example in our CI :D

A couple of concessions have been made for test suite purposes:

- Failure to split a clearsigned file only shows the summary,
  as the gpgv method also only showed it, and no details why
  it failed.
- We write "Got GOODSIG &lt;fingerprint&gt;" in debug mode to mimic
  the gpgv code to keep the test suite happy.

- In various places in the test suite we assert minimal output
  from sqv, but sqv's human output is not intended to be stable.
  This will incur additional work when it breaks. However we do
  not _parse_ the output, so actual operation of apt is unaffected.

A couple of things are suboptimal here:

- We are still doing clearsigned splitting ourselves. sqv only
  has support for detached signatures right now, whereas sqopv
  has support for clearsigned files as well (but sqopv does not
  provide any reasons for why signature verification fails or
  means to set a policy).

- Deprecation of algorithms happens on a timebomb basis in
  sequoia. We have no means to give users warnings ahead of
  time if their configuration is outdated.

We have implemented various bits that probably should be going away:

- Fallback to trusted.gpg
  This is just annoying...
- Support for fingerprints in Signed-By (no subkey matching though)
  The extra work here is arguably less compared to gpgv.
- Check the keyring for correctness.
  With Signed-By everywhere, we should just error out rather than
  skip broken keyrings.

Moo
</content>
</entry>
<entry>
<title>Use sq in the test suite, remove apt-key</title>
<updated>2024-12-19T22:41:01Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-12-19T21:11:04Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=a00fbbdb28cc31e78882301c2efe7218583ab4cb'/>
<id>urn:sha1:a00fbbdb28cc31e78882301c2efe7218583ab4cb</id>
<content type='text'>
Remove the test case for MD5 and expired signatures, as we can't
create them (can't set signing digest, and can't set signature
expiry).

Tests for them have been added to test-method-gpgv instead.

We override sq in a function with cert-store and key-store
set to none.

This supports both sq 0.40 and sq 1.0.
</content>
</entry>
<entry>
<title>gpgv: Merge all keyrings into a single one again</title>
<updated>2024-12-04T09:14:44Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-12-04T08:56:58Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=48e5af8b5df391e62657b604b2b54885f7ce1c02'/>
<id>urn:sha1:48e5af8b5df391e62657b604b2b54885f7ce1c02</id>
<content type='text'>
gpgv is quite picky, it takes at most 40 keyrings but it also doesn't
even take keyrings with : in the name, generating an ERROR message
instead.

So instead let's always merge the configured keyrings for the source
into a single one.

While we are at it, since we are merging now, let's also add some
rudimentary error checking to what we write into the merged keyring:
If copying into it fails, we should abort.

Reported-by: SuShY on IRC
</content>
</entry>
<entry>
<title>test: Ensure we test both gpgv-g10code and gpgv-sq</title>
<updated>2024-11-22T15:44:02Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-11-22T15:20:05Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=e983d98c4fcd952ffcbc010b185455913c8af650'/>
<id>urn:sha1:e983d98c4fcd952ffcbc010b185455913c8af650</id>
<content type='text'>
</content>
</entry>
<entry>
<title>test-releasefile-verification: Test empty/invalid signatures</title>
<updated>2024-11-22T15:44:02Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-11-21T19:01:57Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=d2e34a441bad904798bf62fb850d4fb5b1b90656'/>
<id>urn:sha1:d2e34a441bad904798bf62fb850d4fb5b1b90656</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Accept BADSIG instead of EXPSIG for expired signatures</title>
<updated>2024-11-22T15:20:36Z</updated>
<author>
<name>Julian Andres Klode</name>
<email>julian.klode@canonical.com</email>
</author>
<published>2024-11-21T17:51:10Z</published>
<link rel='alternate' type='text/html' href='https://git.kalnischkies.de/apt/commit/?id=222301d7a36a09db80a8832cd16db41f7946a9ea'/>
<id>urn:sha1:222301d7a36a09db80a8832cd16db41f7946a9ea</id>
<content type='text'>
Sequioa emits KEYEXPIRED + BADSIG instead of EXPSIG + VALIDSIG
</content>
</entry>
</feed>
