Warn if the legacy trusted.gpg keyring is used for verification

With apt-key going away, people need to manage key files, rather
than keys, so they need to know if any keys are in the legacy keyring.

4 files changed, 81 insertions, 1 deletions

diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 3c83a8b3d..80b0c2ade 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -645,6 +645,9 @@ if [ -z "$TRUSTEDFILE" ]; then
    TRUSTEDFILE="/etc/apt/trusted.gpg"
    eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
    eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
+   if [ "$APT_KEY_NO_LEGACY_KEYRING" ]; then
+        TRUSTEDFILE="/dev/null"
+   fi
 fi
 
 command="$1"
diff --git a/debian/NEWS b/debian/NEWS
index b5547fd12..50ee37653 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,11 @@
+apt (2.3.15) UNRELEASED; urgency=medium
+
+  GPG verification now first tries only the trusted.gpg.d keys, before
+  then falling back to the legacy trusted.gpg keyring and issuing a
+  warning to migrate keys if verification succeeded in the fallback.
+
+ -- Julian Andres Klode <jak@debian.org>  Fri, 07 Jan 2022 13:04:28 +0100
+
 apt (2.3.12) unstable; urgency=medium
 
   The solver will no longer try to remove Essential or Protected packages,
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 594e8781a..fdd8586b4 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -120,6 +120,11 @@ class GPGVMethod : public aptMethod
 				vector<string> const &keyFpts,
 				vector<string> const &keyFiles,
 				SignersStorage &Signers);
+   string VerifyGetSignersWithLegacy(const char *file, const char *outfile,
+				     vector<string> const &keyFpts,
+				     vector<string> const &keyFiles,
+				     SignersStorage &Signers);
+
    protected:
    virtual bool URIAcquire(std::string const &Message, FetchItem *Itm) APT_OVERRIDE;
    public:
@@ -183,6 +188,7 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
    {
       std::ostringstream keys;
       implodeVector(keyFiles, keys, ",");
+      setenv("APT_KEY_NO_LEGACY_KEYRING", "1", true);
       ExecGPGV(outfile, file, 3, fd, keys.str());
    }
    close(fd[1]);
@@ -415,7 +421,43 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
    else
       return _("Unknown error executing apt-key");
 }
+string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outfile,
+					      vector<string> const &keyFpts,
+					      vector<string> const &keyFiles,
+					      SignersStorage &Signers)
+{
+   string const msg = VerifyGetSigners(file, outfile, keyFpts, keyFiles, Signers);
+   if (_error->PendingError())
+      return msg;
+   if (keyFiles.empty() && (Signers.Good.empty() || !Signers.Bad.empty() || !Signers.NoPubKey.empty()))
+   {
+      std::vector<std::string> legacyKeyFiles{_config->FindFile("Dir::Etc::trusted")};
+      if (legacyKeyFiles[0].empty())
+	 return msg;
+      if (DebugEnabled())
+	 std::clog << "Retrying against " << legacyKeyFiles[0] << "\n";
+
+      // Retry against trusted.gpg
+      SignersStorage legacySigners;
+
+      string const legacyMsg = VerifyGetSigners(file, outfile, keyFpts, legacyKeyFiles, legacySigners);
+      if (_error->PendingError())
+	 return legacyMsg;
+      // Hooray, we found the key now
+      if (not(legacySigners.Good.empty() || !legacySigners.Bad.empty() || !legacySigners.NoPubKey.empty()))
+      {
+	 std::string warning;
+	 strprintf(warning,
+		   _("Key is stored in legacy trusted.gpg keyring (%s), see the DEPRECATION section in apt-key(8) for details."),
+		   legacyKeyFiles[0].c_str());
+	 Warning(std::move(warning));
+	 Signers = std::move(legacySigners);
+	 return legacyMsg;
+      }
 
+   }
+   return msg;
+}
 static std::string GenerateKeyFile(std::string const key)
 {
    FileFd fd;
@@ -454,7 +496,7 @@ bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm)
    }
 
    // Run apt-key on file, extract contents and get the key ID of the signer
-   string const msg = VerifyGetSigners(Path.c_str(), Itm->DestFile.c_str(), keyFpts, keyFiles, Signers);
+   string const msg = VerifyGetSignersWithLegacy(Path.c_str(), Itm->DestFile.c_str(), keyFpts, keyFiles, Signers);
    if (_error->PendingError())
       return false;
 
diff --git a/test/integration/test-method-gpgv-legacy-keyring b/test/integration/test-method-gpgv-legacy-keyring
new file mode 100755
index 000000000..37a86529a
--- /dev/null
+++ b/test/integration/test-method-gpgv-legacy-keyring
@@ -0,0 +1,27 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+configarchitecture "amd64"
+
+insertpackage 'unstable' 'foo' 'all' '1'
+
+buildaptarchive
+setupaptarchive --no-update
+
+testsuccessequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B]
+Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B]
+Get:2 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main all Packages [247 B]
+Get:3 file:${TMPWORKINGDIRECTORY}/aptarchive unstable/main Translation-en [224 B]
+Reading package lists..." aptget update -q
+
+cat rootdir/etc/apt/trusted.gpg.d/*.gpg > rootdir/etc/apt/trusted.gpg
+rm rootdir/etc/apt/trusted.gpg.d/*.gpg
+
+testwarningequal "Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B]
+Get:1 file:${TMPWORKINGDIRECTORY}/aptarchive unstable InRelease [1420 B]
+Reading package lists...
+W: file:${TMPWORKINGDIRECTORY}/aptarchive/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (${TMPWORKINGDIRECTORY}/rootdir/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details." aptget update -q