diff options
author | Julian Andres Klode <julian.klode@canonical.com> | 2024-02-28 17:04:05 +0100 |
---|---|---|
committer | Julian Andres Klode <julian.klode@canonical.com> | 2024-02-28 18:22:01 +0100 |
commit | 66998ed3d299bede651ad40368bdb270f5f5b0f9 (patch) | |
tree | 5da8b148e4c0091e7db4a24aba4d390d612f9b8c | |
parent | 8a14c18c5b487139948dcb22abd37bffdd9cf5f4 (diff) |
Temporarily downgrade key assertions to "soon worthless"
This will only issue warnings instead of errors while we continue
cleaning up our repositories.
-rw-r--r-- | methods/gpgv.cc | 9 | ||||
-rwxr-xr-x | test/integration/test-method-gpgv | 8 |
2 files changed, 5 insertions, 12 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 20ef2861d..e465c3595 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -253,14 +253,7 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, auto const asserted = atoi(tokens[1].c_str()); auto const pkstr = tokens[2]; if (not asserted) - { - std::string reason; - strprintf(reason, _("untrusted public key algorithm: %s"), pkstr.c_str()); - Signers.Worthless.push_back({fpr, reason}); - Signers.Good.erase(std::remove_if(Signers.Good.begin(), Signers.Good.end(), [&](std::string const &goodsig) - { return IsTheSameKey(fpr, goodsig); }), - Signers.Good.end()); - } + Signers.SoonWorthless.push_back({fpr, pkstr}); } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv index 0f014e3d1..4793b012e 100755 --- a/test/integration/test-method-gpgv +++ b/test/integration/test-method-gpgv @@ -60,14 +60,14 @@ testrun() { [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccess grep '^\s\+Good:\s\+$' method.output - testgpgv 'Unasserted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + testgpgv 'Unasserted signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024' - testsuccess grep '^\s\+Good:\s\+$' method.output - testgpgv 'Unaserted signed with fingerprint' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (rsa1024)$' method.output + testgpgv 'Unaserted signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024' - testsuccess grep '^\s\+Good:\s\+$' method.output + testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (rsa1024)$' method.output testgpgv 'Weak signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 2 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' |