diff options
| author | Julian Andres Klode <julian.klode@canonical.com> | 2024-07-15 19:13:58 +0200 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2024-07-15 19:17:55 +0200 |
| commit | 47deb766c0a11c54d122197531279677545459af (patch) | |
| tree | 8c4209613689b1faa69c0f61f4eb6e5801522935 | |
| parent | 29dd6c45bc2579d012ac78ba3100a2485c78ff1d (diff) | |
Only revoke weak RSA keys for now, add 'next' and 'future' levels
Algorithms not in the next level give a warning, algorithms
in not in the future level introduce an audit message for
the --audit flag.
next: >=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512
future: >=rsa3072,ed25519,ed448
LP: #2073126
| -rw-r--r-- | apt-pkg/init.cc | 4 | ||||
| -rw-r--r-- | doc/examples/configure-index | 2 | ||||
| -rw-r--r-- | methods/gpgv.cc | 11 | ||||
| -rwxr-xr-x | test/integration/test-method-gpgv | 43 |
4 files changed, 59 insertions, 1 deletions
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc index 487f94f20..d71d9541f 100644 --- a/apt-pkg/init.cc +++ b/apt-pkg/init.cc @@ -131,7 +131,9 @@ bool pkgInitConfig(Configuration &Cnf) Cnf.Set("APT::Build-Essential::", "build-essential"); Cnf.CndSet("APT::Install-Recommends", true); Cnf.CndSet("APT::Install-Suggests", false); - Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Next", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Future", ">=rsa3072,ed25519,ed448"); Cnf.CndSet("Dir","/"); // State diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 6bcf8e354..72ce1fe3a 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -776,6 +776,8 @@ apt::key::masterkeyring "<STRING>"; apt::key::archivekeyringuri "<STRING>"; apt::key::net-update-enabled "<STRING>"; apt::key::assert-pubkey-algo "<STRING>"; +apt::key::assert-pubkey-algo::next "<STRING>"; +apt::key::assert-pubkey-algo::future "<STRING>"; apt::ftparchive::release::patterns "<LIST>"; apt::ftparchive::release::validtime "<INT>"; diff --git a/methods/gpgv.cc b/methods/gpgv.cc index fc37b83dc..4a0866555 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -262,6 +262,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, { return IsTheSameKey(fpr, goodsig); }), Signers.Good.end()); } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Next")) + { + std::string reason; + Signers.SoonWorthless.push_back({fpr, pkstr}); + } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Future")) + { + std::string reason; + strprintf(reason, _("%s will be deprecated in a future release"), pkstr.c_str()); + Signers.LaterWorthless.push_back({fpr, reason}); + } } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv index 0f014e3d1..ffaa72c8f 100755 --- a/test/integration/test-method-gpgv +++ b/test/integration/test-method-gpgv @@ -48,6 +48,14 @@ testrun() { [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024' + testgpgv 'Not asserted in the next level' 'SoonWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 brainpoolP256r1' + + testgpgv 'Not asserted in the future level' 'LaterWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 nistp256' + testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org> [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org> @@ -108,6 +116,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -121,6 +132,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -135,6 +149,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -158,6 +175,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -199,3 +219,26 @@ echo '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Sebastian Subkey <subkey@example.org> [GNUPG:] VALIDSIG 0000000000000000000000000000000000000000 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' > gpgv.output testfailure apt update -o Dir::Bin::apt-key="./faked-apt-key" -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 rm -rf rootdir/var/lib/apt/lists + +gpgvmethod() { + echo "601 Configuration +Config-Item: Debug::Acquire::gpgv=1 +Config-Item: Dir::Bin::apt-key=./faked-apt-key +Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=invalid + +600 URI Acquire +URI: file://${TMPWORKINGDIRECTORY}/message.sig +Filename: ${TMPWORKINGDIRECTORY}/message.data +Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE! +" | runapt "${METHODSDIR}/gpgv" +} + + +echo '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 brainpoolP256r1' > gpgv.output + +msgtest "Warns about invalid specification" ">=invalid" +gpgvmethod >method.output 2>&1 || true +testsuccess --nomsg grep "Message: Unrecognized public key specification '>=invalid' in option APT::Key::Assert-Pubkey-Algo::Next" method.output |
