summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2025-01-01 13:54:42 +0000
committerJulian Andres Klode <jak@debian.org>2025-01-01 13:54:42 +0000
commitfe62a927df48d5cdff591edf80cd7a25beeb9573 (patch)
tree02c161e80ece5ed9682c290e3f228a19fd3d3e7d
parent813a76d640272fe259ad13ddefa66ca5846ccfec (diff)
parent02c8e57304f5bded10f7b16207469f9bc9bf3e96 (diff)
Merge branch 'sqv-error-propagation' into 'main'
sqv: Avoid propagating errors between files See merge request apt-team/apt!422
-rw-r--r--methods/sqv.cc13
-rwxr-xr-xtest/integration/test-method-gpgv-legacy-keyring23
2 files changed, 31 insertions, 5 deletions
diff --git a/methods/sqv.cc b/methods/sqv.cc
index 63ccdc08f..716081f8e 100644
--- a/methods/sqv.cc
+++ b/methods/sqv.cc
@@ -262,6 +262,10 @@ static std::string GenerateKeyFile(std::string const key)
bool SQVMethod::URIAcquire(std::string const &Message, FetchItem *Itm)
{
+ // Quick safety check: do we have left-over errors from a previous URL?
+ if (unlikely(_error->PendingError()))
+ return _error->Error("Internal error: Error set at start of verification");
+
URI const Get(Itm->Uri);
std::string const Path = DecodeSendURI(Get.Host + Get.Path); // To account for relative paths
@@ -288,6 +292,10 @@ bool SQVMethod::URIAcquire(std::string const &Message, FetchItem *Itm)
keyFpts.emplace_back(std::move(key));
}
+ // Nothing should have failed here in the setup, if it did, don't bother verifying
+ if (_error->PendingError())
+ return false;
+
// Run apt-key on file, extract contents and get the key ID of the signer
VerifyGetSigners(Path.c_str(), Itm->DestFile.c_str(), keyFiles, Signers);
if (_error->PendingError())
@@ -300,6 +308,8 @@ bool SQVMethod::URIAcquire(std::string const &Message, FetchItem *Itm)
_error->RevertToStack();
if (error)
return false;
+
+ _error->Discard();
std::string warning;
strprintf(warning,
_("Key is stored in legacy trusted.gpg keyring (%s). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details."),
@@ -337,7 +347,8 @@ bool SQVMethod::URIAcquire(std::string const &Message, FetchItem *Itm)
if (DebugEnabled())
std::clog << "sqv succeeded\n";
- return true;
+ // If we have a pending error somehow, we should still fail here...
+ return not _error->PendingError();
}
int main()
diff --git a/test/integration/test-method-gpgv-legacy-keyring b/test/integration/test-method-gpgv-legacy-keyring
index cc7ddf097..55ab6ef7c 100755
--- a/test/integration/test-method-gpgv-legacy-keyring
+++ b/test/integration/test-method-gpgv-legacy-keyring
@@ -14,24 +14,39 @@ setupaptarchive --no-update
alias inrelease_size="stat -c %s aptarchive/dists/unstable/InRelease"
+cp -a ${TMPWORKINGDIRECTORY}/aptarchive ${TMPWORKINGDIRECTORY}/aptarchive2
+
+sed s#aptarchive#aptarchive2# rootdir/etc/apt/sources.list.d/apt-test-unstable-deb.list >> rootdir/etc/apt/sources.list.d/apt-test-unstable-deb.list
+
testsuccessequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B]
+Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable InRelease [$(inrelease_size) B]
Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B]
-Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main all Packages [246 B]
-Get:3 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main Translation-en [224 B]
+Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable InRelease [$(inrelease_size) B]
+Get:3 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main all Packages [246 B]
+Get:4 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main Translation-en [224 B]
+Get:5 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable/main all Packages [246 B]
+Get:6 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable/main Translation-en [224 B]
Reading package lists..." aptget update -q
cat rootdir/etc/apt/trusted.gpg.d/*.gpg > rootdir/etc/apt/trusted.gpg
rm rootdir/etc/apt/trusted.gpg.d/*.gpg
testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B]
+Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable InRelease [$(inrelease_size) B]
Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B]
+Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable InRelease [$(inrelease_size) B]
Reading package lists...
-W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q
+W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details.
+W: file:${TMPWORKINGDIRECTORY}/aptarchive2/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q
# 2.4.0 regression: If the InRelease file was signed with two keys, fallback to trusted.gpg did not
# work: It ran the fallback, but then ignored the result, as keys were still missing.
+original_inrelease_size=$(inrelease_size)
signreleasefiles 'Joe Sixpack,Marvin Paranoid'
testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B]
+Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable InRelease [${original_inrelease_size} B]
Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [$(inrelease_size) B]
+Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive2 unstable InRelease [${original_inrelease_size} B]
Reading package lists...
-W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q -omsg=with-two-signatures
+W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details.
+W: file:${TMPWORKINGDIRECTORY}/aptarchive2/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details." aptget update -q -omsg=with-two-signatures