diff options
| author | Julian Andres Klode <julian.klode@canonical.com> | 2025-01-22 09:34:37 +0100 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2025-01-22 09:55:11 +0100 |
| commit | 09c76cb29b61e1d523a30287f8a9bf0cb0b608e7 (patch) | |
| tree | 9414ac9ba3395e04a55c1ebb99405f36e48ed500 | |
| parent | 61f8f40f921cde13c5b97abbdf900646745e8e30 (diff) | |
sqv, gpgv: Do not fail if Dir::Etc::Trusted is set and trusted.gpg.d is missing
This should remain a warning case for now. So push the errors
to a stack and see if we can find any file.
Explictly warn again if Dir::Etc::trusted is set, as it is like
_super_ deprecated.
Reported-By: Cyril Brulebois <kibi@debian.org> in Bug#1032131
| -rw-r--r-- | apt-pkg/contrib/gpgv.cc | 12 | ||||
| -rw-r--r-- | methods/sqv.cc | 11 | ||||
| -rwxr-xr-x | test/integration/test-method-gpgv-legacy-keyring | 48 |
3 files changed, 69 insertions, 2 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc index 173bfdf22..c6eabc690 100644 --- a/apt-pkg/contrib/gpgv.cc +++ b/apt-pkg/contrib/gpgv.cc @@ -395,12 +395,20 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG, } } - std::vector<std::string> Parts; if (not FoundKeyring) { - Parts = GetListOfFilesInDir(_config->FindDir("Dir::Etc::TrustedParts"), std::vector<std::string>{"gpg", "asc"}, true); + // Either trusted or trustedparts must exist + _error->PushToStack(); + auto Parts = GetListOfFilesInDir(_config->FindDir("Dir::Etc::TrustedParts"), std::vector<std::string>{"gpg", "asc"}, true); if (auto trusted = _config->FindFile("Dir::Etc::Trusted"); not trusted.empty()) + { + apt_warning(std::cerr, statusfd, fd, "Loading %s from deprecated option Dir::Etc::Trusted\n", trusted.c_str()); Parts.push_back(trusted); + } + if (Parts.empty()) + _error->MergeWithStack(); + else + _error->RevertToStack(); for (auto &Part : Parts) { if (Debug) diff --git a/methods/sqv.cc b/methods/sqv.cc index 9dbe75994..3191752cc 100644 --- a/methods/sqv.cc +++ b/methods/sqv.cc @@ -132,9 +132,20 @@ bool SQVMethod::VerifyGetSigners(const char *file, const char *outfile, }; if (keyFiles.empty()) { + // Either trusted or trustedparts must exist + _error->PushToStack(); auto Parts = GetListOfFilesInDir(_config->FindDir("Dir::Etc::TrustedParts"), std::vector<std::string>{"gpg", "asc"}, true); if (auto trusted = _config->FindFile("Dir::Etc::Trusted"); not trusted.empty()) + { + std::string s; + strprintf(s, "Loading %s from deprecated option Dir::Etc::Trusted\n", trusted.c_str()); + Warning(std::move(s)); Parts.push_back(trusted); + } + if (Parts.empty()) + _error->MergeWithStack(); + else + _error->RevertToStack(); for (auto &Part : Parts) { if (Debug) diff --git a/test/integration/test-method-gpgv-legacy-keyring b/test/integration/test-method-gpgv-legacy-keyring new file mode 100755 index 000000000..55ad2463d --- /dev/null +++ b/test/integration/test-method-gpgv-legacy-keyring @@ -0,0 +1,48 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture "amd64" + +insertpackage 'testing' 'foo' 'all' '1' + +buildaptarchive +setupaptarchive --no-update +changetowebserver + +alias inrelease_size="stat -c %s aptarchive/dists/testing/InRelease" + +testsuccessequal "Get:1 http://localhost:${APTHTTPPORT} testing InRelease [$(inrelease_size) B] +Get:2 http://localhost:${APTHTTPPORT} testing/main all Packages [248 B] +Get:3 http://localhost:${APTHTTPPORT} testing/main Translation-en [225 B] +Reading package lists..." aptget update -q + +mv rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg rootdir/etc/apt/trusted.gpg + +if test -e "${METHODSDIR}/sqv"; then + missing_key="The signatures couldn't be verified because no keyring is specified" +else + missing_key="The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5A90D141DBAC8DAE" +fi + +testwarningequal "Hit:1 http://localhost:${APTHTTPPORT} testing InRelease +Reading package lists... +W: http://localhost:${APTHTTPPORT}/dists/testing/InRelease: Loading ${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg from deprecated option Dir::Etc::Trusted" aptget update -q -o Dir::Etc::trusted=trusted.gpg + +testwarningequal "Hit:1 http://localhost:${APTHTTPPORT} testing InRelease +Err:1 http://localhost:${APTHTTPPORT} testing InRelease + $missing_key +Reading package lists... +W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://localhost:${APTHTTPPORT} testing InRelease: $missing_key +W: Failed to fetch http://localhost:${APTHTTPPORT}/dists/testing/InRelease $missing_key +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -q + +rmdir rootdir/etc/apt/trusted.gpg.d + +testwarningequal "Hit:1 http://localhost:${APTHTTPPORT} testing InRelease +Reading package lists... +W: http://localhost:${APTHTTPPORT}/dists/testing/InRelease: Loading ${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg from deprecated option Dir::Etc::Trusted" aptget update -q -o Dir::Etc::trusted=trusted.gpg + |
