diff options
| author | Julian Andres Klode <jak@debian.org> | 2022-01-07 12:43:32 +0100 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2022-02-22 18:25:06 +0100 |
| commit | 56adf743b02b80a9acc9a2e480bfd15acb94f755 (patch) | |
| tree | 36c05dda8274832bc8d0af8d03cd38faf13ae63d | |
| parent | 9aee35d1acafde2e443741160d13d365345383ab (diff) | |
Warn if the legacy trusted.gpg keyring is used for verification
With apt-key going away, people need to manage key files, rather
than keys, so they need to know if any keys are in the legacy keyring.
| -rw-r--r-- | cmdline/apt-key.in | 3 | ||||
| -rw-r--r-- | debian/NEWS | 8 | ||||
| -rw-r--r-- | methods/gpgv.cc | 44 | ||||
| -rwxr-xr-x | test/integration/test-method-gpgv-legacy-keyring | 27 |
4 files changed, 81 insertions, 1 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 3c83a8b3d..80b0c2ade 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -645,6 +645,9 @@ if [ -z "$TRUSTEDFILE" ]; then TRUSTEDFILE="/etc/apt/trusted.gpg" eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + if [ "$APT_KEY_NO_LEGACY_KEYRING" ]; then + TRUSTEDFILE="/dev/null" + fi fi command="$1" diff --git a/debian/NEWS b/debian/NEWS index b5547fd12..50ee37653 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,11 @@ +apt (2.3.15) UNRELEASED; urgency=medium + + GPG verification now first tries only the trusted.gpg.d keys, before + then falling back to the legacy trusted.gpg keyring and issuing a + warning to migrate keys if verification succeeded in the fallback. + + -- Julian Andres Klode <jak@debian.org> Fri, 07 Jan 2022 13:04:28 +0100 + apt (2.3.12) unstable; urgency=medium The solver will no longer try to remove Essential or Protected packages, diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 594e8781a..fdd8586b4 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -120,6 +120,11 @@ class GPGVMethod : public aptMethod vector<string> const &keyFpts, vector<string> const &keyFiles, SignersStorage &Signers); + string VerifyGetSignersWithLegacy(const char *file, const char *outfile, + vector<string> const &keyFpts, + vector<string> const &keyFiles, + SignersStorage &Signers); + protected: virtual bool URIAcquire(std::string const &Message, FetchItem *Itm) APT_OVERRIDE; public: @@ -183,6 +188,7 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, { std::ostringstream keys; implodeVector(keyFiles, keys, ","); + setenv("APT_KEY_NO_LEGACY_KEYRING", "1", true); ExecGPGV(outfile, file, 3, fd, keys.str()); } close(fd[1]); @@ -415,7 +421,43 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, else return _("Unknown error executing apt-key"); } +string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outfile, + vector<string> const &keyFpts, + vector<string> const &keyFiles, + SignersStorage &Signers) +{ + string const msg = VerifyGetSigners(file, outfile, keyFpts, keyFiles, Signers); + if (_error->PendingError()) + return msg; + if (keyFiles.empty() && (Signers.Good.empty() || !Signers.Bad.empty() || !Signers.NoPubKey.empty())) + { + std::vector<std::string> legacyKeyFiles{_config->FindFile("Dir::Etc::trusted")}; + if (legacyKeyFiles[0].empty()) + return msg; + if (DebugEnabled()) + std::clog << "Retrying against " << legacyKeyFiles[0] << "\n"; + + // Retry against trusted.gpg + SignersStorage legacySigners; + + string const legacyMsg = VerifyGetSigners(file, outfile, keyFpts, legacyKeyFiles, legacySigners); + if (_error->PendingError()) + return legacyMsg; + // Hooray, we found the key now + if (not(legacySigners.Good.empty() || !legacySigners.Bad.empty() || !legacySigners.NoPubKey.empty())) + { + std::string warning; + strprintf(warning, + _("Key is stored in legacy trusted.gpg keyring (%s), see the DEPRECATION section in apt-key(8) for details."), + legacyKeyFiles[0].c_str()); + Warning(std::move(warning)); + Signers = std::move(legacySigners); + return legacyMsg; + } + } + return msg; +} static std::string GenerateKeyFile(std::string const key) { FileFd fd; @@ -454,7 +496,7 @@ bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm) } // Run apt-key on file, extract contents and get the key ID of the signer - string const msg = VerifyGetSigners(Path.c_str(), Itm->DestFile.c_str(), keyFpts, keyFiles, Signers); + string const msg = VerifyGetSignersWithLegacy(Path.c_str(), Itm->DestFile.c_str(), keyFpts, keyFiles, Signers); if (_error->PendingError()) return false; diff --git a/test/integration/test-method-gpgv-legacy-keyring b/test/integration/test-method-gpgv-legacy-keyring new file mode 100755 index 000000000..37a86529a --- /dev/null +++ b/test/integration/test-method-gpgv-legacy-keyring @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" + +setupenvironment +configarchitecture "amd64" + +insertpackage 'unstable' 'foo' 'all' '1' + +buildaptarchive +setupaptarchive --no-update + +testsuccessequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] +Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] +Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main all Packages [247 B] +Get:3 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main Translation-en [224 B] +Reading package lists..." aptget update -q + +cat rootdir/etc/apt/trusted.gpg.d/*.gpg > rootdir/etc/apt/trusted.gpg +rm rootdir/etc/apt/trusted.gpg.d/*.gpg + +testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] +Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B] +Reading package lists... +W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details." aptget update -q |