summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2024-07-15 19:13:58 +0200
committerJulian Andres Klode <julian.klode@canonical.com>2024-07-15 19:17:55 +0200
commit47deb766c0a11c54d122197531279677545459af (patch)
tree8c4209613689b1faa69c0f61f4eb6e5801522935
parent29dd6c45bc2579d012ac78ba3100a2485c78ff1d (diff)
Only revoke weak RSA keys for now, add 'next' and 'future' levels
Algorithms not in the next level give a warning, algorithms in not in the future level introduce an audit message for the --audit flag. next: >=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512 future: >=rsa3072,ed25519,ed448 LP: #2073126
-rw-r--r--apt-pkg/init.cc4
-rw-r--r--doc/examples/configure-index2
-rw-r--r--methods/gpgv.cc11
-rwxr-xr-xtest/integration/test-method-gpgv43
4 files changed, 59 insertions, 1 deletions
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index 487f94f20..d71d9541f 100644
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -131,7 +131,9 @@ bool pkgInitConfig(Configuration &Cnf)
Cnf.Set("APT::Build-Essential::", "build-essential");
Cnf.CndSet("APT::Install-Recommends", true);
Cnf.CndSet("APT::Install-Suggests", false);
- Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Next", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Future", ">=rsa3072,ed25519,ed448");
Cnf.CndSet("Dir","/");
// State
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index 6bcf8e354..72ce1fe3a 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -776,6 +776,8 @@ apt::key::masterkeyring "<STRING>";
apt::key::archivekeyringuri "<STRING>";
apt::key::net-update-enabled "<STRING>";
apt::key::assert-pubkey-algo "<STRING>";
+apt::key::assert-pubkey-algo::next "<STRING>";
+apt::key::assert-pubkey-algo::future "<STRING>";
apt::ftparchive::release::patterns "<LIST>";
apt::ftparchive::release::validtime "<INT>";
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index fc37b83dc..4a0866555 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -262,6 +262,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
{ return IsTheSameKey(fpr, goodsig); }),
Signers.Good.end());
}
+ else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Next"))
+ {
+ std::string reason;
+ Signers.SoonWorthless.push_back({fpr, pkstr});
+ }
+ else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Future"))
+ {
+ std::string reason;
+ strprintf(reason, _("%s will be deprecated in a future release"), pkstr.c_str());
+ Signers.LaterWorthless.push_back({fpr, reason});
+ }
}
else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0)
PushEntryWithKeyID(Signers.Good, buffer, Debug);
diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv
index 0f014e3d1..ffaa72c8f 100755
--- a/test/integration/test-method-gpgv
+++ b/test/integration/test-method-gpgv
@@ -48,6 +48,14 @@ testrun() {
[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024'
+ testgpgv 'Not asserted in the next level' 'SoonWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 brainpoolP256r1'
+
+ testgpgv 'Not asserted in the future level' 'LaterWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 nistp256'
+
testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org>
[GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org>
@@ -108,6 +116,9 @@ gpgvmethod() {
Config-Item: Debug::Acquire::gpgv=1
Config-Item: Dir::Bin::apt-key=./faked-apt-key
Config-Item: APT::Hashes::SHA1::Weak=true
+Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1
+Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256
+Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048
600 URI Acquire
URI: file://${TMPWORKINGDIRECTORY}/message.sig
@@ -121,6 +132,9 @@ gpgvmethod() {
Config-Item: Debug::Acquire::gpgv=1
Config-Item: Dir::Bin::apt-key=./faked-apt-key
Config-Item: APT::Hashes::SHA1::Weak=true
+Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1
+Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256
+Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048
600 URI Acquire
URI: file://${TMPWORKINGDIRECTORY}/message.sig
@@ -135,6 +149,9 @@ gpgvmethod() {
Config-Item: Debug::Acquire::gpgv=1
Config-Item: Dir::Bin::apt-key=./faked-apt-key
Config-Item: APT::Hashes::SHA1::Weak=true
+Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1
+Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256
+Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048
600 URI Acquire
URI: file://${TMPWORKINGDIRECTORY}/message.sig
@@ -158,6 +175,9 @@ gpgvmethod() {
Config-Item: Debug::Acquire::gpgv=1
Config-Item: Dir::Bin::apt-key=./faked-apt-key
Config-Item: APT::Hashes::SHA1::Weak=true
+Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1
+Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256
+Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048
600 URI Acquire
URI: file://${TMPWORKINGDIRECTORY}/message.sig
@@ -199,3 +219,26 @@ echo '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Sebastian Subkey <subkey@example.org>
[GNUPG:] VALIDSIG 0000000000000000000000000000000000000000 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' > gpgv.output
testfailure apt update -o Dir::Bin::apt-key="./faked-apt-key" -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1
rm -rf rootdir/var/lib/apt/lists
+
+gpgvmethod() {
+ echo "601 Configuration
+Config-Item: Debug::Acquire::gpgv=1
+Config-Item: Dir::Bin::apt-key=./faked-apt-key
+Config-Item: APT::Hashes::SHA1::Weak=true
+Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=invalid
+
+600 URI Acquire
+URI: file://${TMPWORKINGDIRECTORY}/message.sig
+Filename: ${TMPWORKINGDIRECTORY}/message.data
+Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!
+" | runapt "${METHODSDIR}/gpgv"
+}
+
+
+echo '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 brainpoolP256r1' > gpgv.output
+
+msgtest "Warns about invalid specification" ">=invalid"
+gpgvmethod >method.output 2>&1 || true
+testsuccess --nomsg grep "Message: Unrecognized public key specification '>=invalid' in option APT::Key::Assert-Pubkey-Algo::Next" method.output