diff options
| author | Julian Andres Klode <jak@debian.org> | 2025-04-25 21:08:05 +0000 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2025-04-25 21:08:05 +0000 |
| commit | fd4ebe70225d6e2f9993514553bac7aa9eb1df7e (patch) | |
| tree | 95190a341e6861d216bf45c2e45eb301f6c531da | |
| parent | ccd3b00975f96a62835e02cd243f624d47812b56 (diff) | |
| parent | 85c435f23718e168345ea60270b24a57061b54f4 (diff) | |
Merge branch 'policy-as-of' into 'main'
Update Sequoia crypto policy, implement year-ahead warning
See merge request apt-team/apt!475
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/default-sequoia.config | 18 | ||||
| -rwxr-xr-x | debian/rules | 2 | ||||
| -rw-r--r-- | methods/sqv.cc | 52 | ||||
| -rwxr-xr-x | test/integration/test-releasefile-verification | 10 |
5 files changed, 80 insertions, 4 deletions
diff --git a/debian/control b/debian/control index 157ca079e..a3e4c45df 100644 --- a/debian/control +++ b/debian/control @@ -28,7 +28,7 @@ Build-Depends: dpkg-dev (>= 1.22.5) <!pkg.apt.ci>, ninja-build, pkg-config, po4a (>= 0.34-2) <!nodoc>, - sqv [amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x hurd-amd64 hurd-i386 loong64 powerpc ppc64 sparc64] <!pkg.apt.nosqv> | gpgv, + sqv (>= 1.3.0) [amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x hurd-amd64 hurd-i386 loong64 powerpc ppc64 sparc64] <!pkg.apt.nosqv> | gpgv, triehash, xsltproc <!nodoc>, zlib1g-dev diff --git a/debian/default-sequoia.config b/debian/default-sequoia.config index b0abc90ee..0bb0b9c41 100644 --- a/debian/default-sequoia.config +++ b/debian/default-sequoia.config @@ -1,4 +1,18 @@ +# Default APT Sequoia configuration. To overwrite, consider copying this +# to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the +# desired values. +[asymmetric_algorithms] +dsa2048 = 2024-02-01 +dsa3072 = 2024-02-01 +dsa4096 = 2024-02-01 +brainpoolp256 = 2028-02-01 +brainpoolp384 = 2028-02-01 +brainpoolp512 = 2028-02-01 +rsa2048 = 2030-02-01 + [hash_algorithms] -sha1.second_preimage_resistance = 2026-01-01 +sha1.second_preimage_resistance = 2026-02-01 # Extend the expiry for legacy repositories +sha224 = 2026-02-01 + [packets] -signature.v3 = 2026-01-01 +signature.v3 = 2026-02-01 # Extend the expiry diff --git a/debian/rules b/debian/rules index cd2370931..55d5e5eac 100755 --- a/debian/rules +++ b/debian/rules @@ -31,7 +31,7 @@ override_dh_install-arch: install -m 644 debian/apt.conf.autoremove debian/apt/etc/apt/apt.conf.d/01autoremove override_dh_gencontrol: - dh_gencontrol -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)" -Vopenpgp:Depends=$(shell test -e /usr/bin/sqv && echo sqv || echo gpgv) + dh_gencontrol -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)" -Vopenpgp:Depends="$(shell test -e /usr/bin/sqv && echo "sqv (>= 1.3.0)" || echo gpgv)" override_dh_installcron: dh_installcron --name=apt-compat diff --git a/methods/sqv.cc b/methods/sqv.cc index 3191752cc..6c154401d 100644 --- a/methods/sqv.cc +++ b/methods/sqv.cc @@ -19,6 +19,7 @@ class SQVMethod : public aptMethod bool VerifyGetSigners(const char *file, const char *outfile, vector<string> keyFiles, vector<string> &signers); + bool ExecuteSqv(const std::vector<std::string> &args, std::vector<std::string> &signers); protected: bool URIAcquire(std::string const &Message, FetchItem *Itm) override; @@ -205,6 +206,57 @@ bool SQVMethod::VerifyGetSigners(const char *file, const char *outfile, args.push_back(outfile); } + bool res = false; + std::vector<std::string> aheadErrors; + // Check the signature with a one-year-ahead policy first + { + _error->PushToStack(); + auto time = std::time(nullptr); + auto tm = std::localtime(&time); + std::string yearAheadDate; + strprintf(yearAheadDate, "%d-%d-%d", tm->tm_year + 1900 + 1, tm->tm_mon + 1, tm->tm_mday); + + args.push_back("--policy-as-of"); + args.push_back(std::move(yearAheadDate)); + res = ExecuteSqv(args, signers); + args.pop_back(); + args.pop_back(); + + // Preserve any warnings or whatnot on success + if (res) + _error->MergeWithStack(); + else + { + while (not _error->empty()) + { + std::string msg; + _error->PopMessage(msg); + aheadErrors.push_back(msg); + } + _error->RevertToStack(); + } + } + + // The year-ahead-policy produced no valid signer, check if valid at current time. + if (not res) + { + // clear signers, args have already been cleaned post-execution + signers.clear(); + res = ExecuteSqv(args, signers); + if (res) + { + Warning(_("Policy will reject signature within a year, see --audit for details")); + for (auto &&msg : aheadErrors) + Audit(std::move(msg)); + } + } + return res; +} + +bool SQVMethod::ExecuteSqv(const std::vector<std::string> &args, std::vector<std::string> &signers) +{ + bool const Debug = DebugEnabled(); + // FIXME: Use a select() loop FileFd sqvout; FileFd sqverr; diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 1e54cf0d5..e15752482 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -374,6 +374,16 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release " aptcache show apt installaptnew + if test -e "${METHODSDIR}/sqv"; then + msgmsg 'Warm archive with ahead-policy-rejected subkey signing' 'Sebastian Subkey' + cat > sequoia.config << EOF +[asymmetric_algorithms] +rsa3072 = $(date +%Y-%m-%d --date="now + 6 months") +EOF + APT_SEQUOIA_CRYPTO_POLICY=$PWD/sequoia.config updatewithwarnings "W: http://localhost:${APTHTTPPORT}/Release.gpg: Policy will reject signature within a year, see --audit for details" + exit + fi + msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey' rm -rf rootdir/var/lib/apt/lists cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists |
