summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2025-04-25 21:08:05 +0000
committerJulian Andres Klode <jak@debian.org>2025-04-25 21:08:05 +0000
commitfd4ebe70225d6e2f9993514553bac7aa9eb1df7e (patch)
tree95190a341e6861d216bf45c2e45eb301f6c531da
parentccd3b00975f96a62835e02cd243f624d47812b56 (diff)
parent85c435f23718e168345ea60270b24a57061b54f4 (diff)
Merge branch 'policy-as-of' into 'main'
Update Sequoia crypto policy, implement year-ahead warning See merge request apt-team/apt!475
-rw-r--r--debian/control2
-rw-r--r--debian/default-sequoia.config18
-rwxr-xr-xdebian/rules2
-rw-r--r--methods/sqv.cc52
-rwxr-xr-xtest/integration/test-releasefile-verification10
5 files changed, 80 insertions, 4 deletions
diff --git a/debian/control b/debian/control
index 157ca079e..a3e4c45df 100644
--- a/debian/control
+++ b/debian/control
@@ -28,7 +28,7 @@ Build-Depends: dpkg-dev (>= 1.22.5) <!pkg.apt.ci>,
ninja-build,
pkg-config,
po4a (>= 0.34-2) <!nodoc>,
- sqv [amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x hurd-amd64 hurd-i386 loong64 powerpc ppc64 sparc64] <!pkg.apt.nosqv> | gpgv,
+ sqv (>= 1.3.0) [amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x hurd-amd64 hurd-i386 loong64 powerpc ppc64 sparc64] <!pkg.apt.nosqv> | gpgv,
triehash,
xsltproc <!nodoc>,
zlib1g-dev
diff --git a/debian/default-sequoia.config b/debian/default-sequoia.config
index b0abc90ee..0bb0b9c41 100644
--- a/debian/default-sequoia.config
+++ b/debian/default-sequoia.config
@@ -1,4 +1,18 @@
+# Default APT Sequoia configuration. To overwrite, consider copying this
+# to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the
+# desired values.
+[asymmetric_algorithms]
+dsa2048 = 2024-02-01
+dsa3072 = 2024-02-01
+dsa4096 = 2024-02-01
+brainpoolp256 = 2028-02-01
+brainpoolp384 = 2028-02-01
+brainpoolp512 = 2028-02-01
+rsa2048 = 2030-02-01
+
[hash_algorithms]
-sha1.second_preimage_resistance = 2026-01-01
+sha1.second_preimage_resistance = 2026-02-01 # Extend the expiry for legacy repositories
+sha224 = 2026-02-01
+
[packets]
-signature.v3 = 2026-01-01
+signature.v3 = 2026-02-01 # Extend the expiry
diff --git a/debian/rules b/debian/rules
index cd2370931..55d5e5eac 100755
--- a/debian/rules
+++ b/debian/rules
@@ -31,7 +31,7 @@ override_dh_install-arch:
install -m 644 debian/apt.conf.autoremove debian/apt/etc/apt/apt.conf.d/01autoremove
override_dh_gencontrol:
- dh_gencontrol -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)" -Vopenpgp:Depends=$(shell test -e /usr/bin/sqv && echo sqv || echo gpgv)
+ dh_gencontrol -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)" -Vopenpgp:Depends="$(shell test -e /usr/bin/sqv && echo "sqv (>= 1.3.0)" || echo gpgv)"
override_dh_installcron:
dh_installcron --name=apt-compat
diff --git a/methods/sqv.cc b/methods/sqv.cc
index 3191752cc..6c154401d 100644
--- a/methods/sqv.cc
+++ b/methods/sqv.cc
@@ -19,6 +19,7 @@ class SQVMethod : public aptMethod
bool VerifyGetSigners(const char *file, const char *outfile,
vector<string> keyFiles,
vector<string> &signers);
+ bool ExecuteSqv(const std::vector<std::string> &args, std::vector<std::string> &signers);
protected:
bool URIAcquire(std::string const &Message, FetchItem *Itm) override;
@@ -205,6 +206,57 @@ bool SQVMethod::VerifyGetSigners(const char *file, const char *outfile,
args.push_back(outfile);
}
+ bool res = false;
+ std::vector<std::string> aheadErrors;
+ // Check the signature with a one-year-ahead policy first
+ {
+ _error->PushToStack();
+ auto time = std::time(nullptr);
+ auto tm = std::localtime(&time);
+ std::string yearAheadDate;
+ strprintf(yearAheadDate, "%d-%d-%d", tm->tm_year + 1900 + 1, tm->tm_mon + 1, tm->tm_mday);
+
+ args.push_back("--policy-as-of");
+ args.push_back(std::move(yearAheadDate));
+ res = ExecuteSqv(args, signers);
+ args.pop_back();
+ args.pop_back();
+
+ // Preserve any warnings or whatnot on success
+ if (res)
+ _error->MergeWithStack();
+ else
+ {
+ while (not _error->empty())
+ {
+ std::string msg;
+ _error->PopMessage(msg);
+ aheadErrors.push_back(msg);
+ }
+ _error->RevertToStack();
+ }
+ }
+
+ // The year-ahead-policy produced no valid signer, check if valid at current time.
+ if (not res)
+ {
+ // clear signers, args have already been cleaned post-execution
+ signers.clear();
+ res = ExecuteSqv(args, signers);
+ if (res)
+ {
+ Warning(_("Policy will reject signature within a year, see --audit for details"));
+ for (auto &&msg : aheadErrors)
+ Audit(std::move(msg));
+ }
+ }
+ return res;
+}
+
+bool SQVMethod::ExecuteSqv(const std::vector<std::string> &args, std::vector<std::string> &signers)
+{
+ bool const Debug = DebugEnabled();
+
// FIXME: Use a select() loop
FileFd sqvout;
FileFd sqverr;
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 1e54cf0d5..e15752482 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -374,6 +374,16 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release
" aptcache show apt
installaptnew
+ if test -e "${METHODSDIR}/sqv"; then
+ msgmsg 'Warm archive with ahead-policy-rejected subkey signing' 'Sebastian Subkey'
+ cat > sequoia.config << EOF
+[asymmetric_algorithms]
+rsa3072 = $(date +%Y-%m-%d --date="now + 6 months")
+EOF
+ APT_SEQUOIA_CRYPTO_POLICY=$PWD/sequoia.config updatewithwarnings "W: http://localhost:${APTHTTPPORT}/Release.gpg: Policy will reject signature within a year, see --audit for details"
+ exit
+ fi
+
msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey'
rm -rf rootdir/var/lib/apt/lists
cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists