Merge branch 'gpgv-improvements' into 'main'

Assert >=2048-bit RSA keys, Ed25519, Ed448, and some improvements to diagnostic reporting See merge request apt-team/apt!322
author: Julian Andres Klode <jak@debian.org> 2024-02-28 18:39:57 +0000
committer: Julian Andres Klode <jak@debian.org> 2024-02-28 18:39:57 +0000
commit: 368a60cd267cb92be43c57a8cc92c77d5f7aeb50 (patch)
tree: b40fdb259e118c8c4e35231a8b8ca8ccb6283872
parent: 010841260f7dce50ba407e23c5894e9017561ce2 (diff)
parent: 66998ed3d299bede651ad40368bdb270f5f5b0f9 (diff)
7 files changed, 111 insertions, 18 deletions
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index f1742c019..75935404f 100644
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -131,6 +131,7 @@ bool pkgInitConfig(Configuration &Cnf)
       Cnf.Set("APT::Build-Essential::", "build-essential");
    Cnf.CndSet("APT::Install-Recommends", true);
    Cnf.CndSet("APT::Install-Suggests", false);
+   Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448");
    Cnf.CndSet("Dir","/");
    
    // State
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 4f3e9c8e1..07522723b 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -800,7 +800,8 @@ case "$command" in
 	;;
     verify)
 	GPGV=''
-	eval $(apt-config shell GPGV Apt::Key::gpgvcommand)
+	ASSERT_PUBKEY_ALGO=''
+	eval $(apt-config shell GPGV Apt::Key::gpgvcommand ASSERT_PUBKEY_ALGO Apt::Key::assert-pubkey-algo)
 	if [ -n "$GPGV" ] && command_available "$GPGV"; then true;
 	elif command_available 'gpgv'; then GPGV='gpgv';
 	elif command_available 'gpgv2'; then GPGV='gpgv2';
@@ -809,6 +810,20 @@ case "$command" in
 	   apt_error 'gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed'
 	   exit 29
 	fi
+	GPGV_ARGS=""
+	if [ "$ASSERT_PUBKEY_ALGO" ]; then
+		test="$(LC_ALL=C.UTF-8 "$GPGV" --assert-pubkey-algo 2>&1 || :)"
+		case "$test" in
+			*"missing argument"*)
+				GPGV_ARGS="--assert-pubkey-algo=$ASSERT_PUBKEY_ALGO"
+				;;
+			*[Ii]"nvalid option"*"assert-pubkey-algo"*)
+				;;
+			*)
+				apt_warn "Unknown response from gpgv to --assert-pubkey-algo check: $test"
+				;;
+		esac
+	fi
 	# for a forced keyid we need gpg --export, so full wrapping required
 	if [ -n "$FORCED_KEYID" ]; then
 	    prepare_gpg_home
@@ -817,9 +832,9 @@ case "$command" in
 	fi
 	setup_merged_keyring
 	if [ -n "$FORCED_KEYRING" ]; then
-	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
+	    "$GPGV" $GPGV_ARGS --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
 	else
-	    "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
+	    "$GPGV" $GPGV_ARGS --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
 	fi
 	;;
     help)
diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index f37b7696c..da4998b4d 100644
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -762,6 +762,7 @@ apt::key::gpgcommand "<STRING>";
 apt::key::masterkeyring "<STRING>";
 apt::key::archivekeyringuri "<STRING>";
 apt::key::net-update-enabled "<STRING>";
+apt::key::assert-pubkey-algo "<STRING>";
 
 apt::ftparchive::release::patterns "<LIST>";
 apt::ftparchive::release::validtime "<INT>";
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index f89aa8d2e..e465c3595 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -40,6 +40,9 @@ using std::vector;
 #define GNUPGEXPSIG "[GNUPG:] EXPSIG"
 #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
 #define GNUPGNODATA "[GNUPG:] NODATA"
+#define GNUPGWARNING "[GNUPG:] WARNING"
+#define GNUPGERROR "[GNUPG:] ERROR"
+#define GNUPGASSERT_PUBKEY_ALGO "[GNUPG:] ASSERT_PUBKEY_ALGO"
 #define APTKEYWARNING "[APTKEY:] WARNING"
 #define APTKEYERROR "[APTKEY:] ERROR"
 
@@ -106,7 +109,7 @@ static bool IsTheSameKey(std::string const &validsig, std::string const &goodsig
 struct APT_HIDDEN SignersStorage {
    std::vector<std::string> Good;
    std::vector<std::string> Bad;
-   std::vector<std::string> Worthless;
+   std::vector<Signer> Worthless;
    // a worthless signature is a expired or revoked one
    std::vector<Signer> SoonWorthless;
    std::vector<std::string> NoPubKey;
@@ -158,6 +161,16 @@ static void PushEntryWithUID(std::vector<std::string> &Signers, char * const buf
       std::clog << "Got " << msg << " !" << std::endl;
    Signers.push_back(msg);
 }
+static void PushEntryWithUID(std::vector<Signer> &Signers, char * const buffer, bool const Debug)
+{
+   std::string msg = buffer + sizeof(GNUPGPREFIX);
+   auto const nuke = msg.find_last_not_of("\n\t\r");
+   if (nuke != std::string::npos)
+      msg.erase(nuke + 1);
+   if (Debug == true)
+      std::clog << "Got " << msg << " !" << std::endl;
+   Signers.push_back({msg, ""});
+}
 static void implodeVector(std::vector<std::string> const &vec, std::ostream &out, char const * const sep)
 {
    if (vec.empty())
@@ -230,6 +243,18 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
 	 PushEntryWithUID(Signers.Worthless, buffer, Debug);
       else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0)
 	 PushEntryWithUID(Signers.Worthless, buffer, Debug);
+      else if (strncmp(buffer, GNUPGASSERT_PUBKEY_ALGO, sizeof(GNUPGASSERT_PUBKEY_ALGO) - 1) == 0)
+      {
+	 std::istringstream iss(buffer + sizeof(GNUPGASSERT_PUBKEY_ALGO));
+	 vector<string> tokens{std::istream_iterator<string>{iss},
+			       std::istream_iterator<string>{}};
+
+	 auto const fpr = tokens[0];
+	 auto const asserted = atoi(tokens[1].c_str());
+	 auto const pkstr = tokens[2];
+	 if (not asserted)
+	    Signers.SoonWorthless.push_back({fpr, pkstr});
+      }
       else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0)
 	 PushEntryWithKeyID(Signers.Good, buffer, Debug);
       else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0)
@@ -251,7 +276,11 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
          case Digest::State::Untrusted:
             // Treat them like an expired key: For that a message about expiry
             // is emitted, a VALIDSIG, but no GOODSIG.
-            Signers.Worthless.push_back(sig);
+	    {
+	       std::string note;
+	       strprintf(note, "untrusted digest algorithm: %s", digest.name);
+	       Signers.Worthless.push_back({sig, note});
+	    }
             Signers.Good.erase(std::remove_if(Signers.Good.begin(), Signers.Good.end(), [&](std::string const &goodsig) {
 		     return IsTheSameKey(sig, goodsig); }), Signers.Good.end());
 	    if (Debug == true)
@@ -269,6 +298,13 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
 	 if (tokens.size() > 9 && sig != tokens[9])
 	    SubKeyMapping[tokens[9]].emplace_back(sig);
       }
+      else if (strncmp(buffer, GNUPGWARNING, sizeof(GNUPGWARNING)-1) == 0) {
+	 std::string warning;
+	 strprintf(warning, "GPG: %s", buffer + sizeof(GNUPGWARNING));
+	 Warning(std::move(warning));
+      }
+      else if (strncmp(buffer, GNUPGERROR, sizeof(GNUPGERROR)-1) == 0)
+	 _error->Error("GPG: %s", buffer + sizeof(GNUPGERROR));
       else if (strncmp(buffer, APTKEYWARNING, sizeof(APTKEYWARNING)-1) == 0)
          Warning(buffer + sizeof(APTKEYWARNING));
       else if (strncmp(buffer, APTKEYERROR, sizeof(APTKEYERROR)-1) == 0)
@@ -276,7 +312,9 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
    }
    fclose(pipein);
    free(buffer);
-   std::move(ErrSigners.begin(), ErrSigners.end(), std::back_inserter(Signers.Worthless));
+
+   for (auto errSigner : ErrSigners)
+      Signers.Worthless.push_back({errSigner, ""});
 
    // apt-key has a --keyid parameter, but this requires gpg, so we call it without it
    // and instead check after the fact which keyids where used for verification
@@ -372,7 +410,7 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
       std::cerr << "\n  Bad: ";
       implodeVector(Signers.Bad, std::cerr, ", ");
       std::cerr << "\n  Worthless: ";
-      implodeVector(Signers.Worthless, std::cerr, ", ");
+      std::for_each(Signers.Worthless.begin(), Signers.Worthless.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; });
       std::cerr << "\n  SoonWorthless: ";
       std::for_each(Signers.SoonWorthless.begin(), Signers.SoonWorthless.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; });
       std::cerr << "\n  NoPubKey: ";
@@ -517,7 +555,7 @@ bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm)
       {
 	 std::string msg;
          // TRANSLATORS: The second %s is the reason and is untranslated for repository owners.
-	 strprintf(msg, _("Signature by key %s uses weak digest algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str());
+	 strprintf(msg, _("Signature by key %s uses weak algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str());
          Warning(std::move(msg));
       }
    }
@@ -540,8 +578,12 @@ bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm)
          if (!Signers.Worthless.empty())
          {
             errmsg += _("The following signatures were invalid:\n");
-            for (auto const &I : Signers.Worthless)
-               errmsg.append(I).append("\n");
+            for (auto const &[key, reason] : Signers.Worthless) {
+               errmsg.append(key);
+	       if (not reason.empty())
+		  errmsg.append(" (").append(reason).append(")");
+	       errmsg.append("\n");
+	    }
          }
          if (!Signers.NoPubKey.empty())
          {
diff --git a/test/integration/test-apt-cdrom b/test/integration/test-apt-cdrom
index 01680c461..e8ccb10a4 100755
--- a/test/integration/test-apt-cdrom
+++ b/test/integration/test-apt-cdrom
@@ -40,6 +40,24 @@ aptcdromlog() {
 }
 aptautotest_aptcdromlog_add() { aptautotest_aptget_update "$@"; }
 
+
+msgtest "Checking --assert-pubkey-algo support"
+gpgv_msg=""
+test="$(LC_ALL=C.UTF-8 gpgv --assert-pubkey-algo 2>&1 || :)"
+case "$test" in
+	*"missing argument"*)
+		gpgv_msg="
+gpgv: asserted signer '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' with algo rsa2048"
+		msgpass
+		;;
+	*[Ii]"nvalid option"*"assert-pubkey-algo"*)
+		msgskip
+		;;
+	*)
+		msgfail "Unknown response from gpgv to --assert-pubkey-algo check: $test"
+		;;
+esac
+
 CDROM_PRE="Using CD-ROM mount point $(readlink -f ./rootdir/media)/cdrom/
 Unmounting CD-ROM...
 Waiting for disc...
@@ -47,7 +65,7 @@ Please insert a Disc in the drive and press [Enter]
 Mounting CD-ROM...
 Scanning disc for index files..."
 CDROM_POST="This disc is called: 
-'Debian APT Testdisk 0.8.15'
+'Debian APT Testdisk 0.8.15'$gpgv_msg
 Writing new source list
 Source list entries for this disc are:
 deb cdrom:[Debian APT Testdisk 0.8.15]/ stable main
diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv
index bfa5af4c2..4793b012e 100755
--- a/test/integration/test-method-gpgv
+++ b/test/integration/test-method-gpgv
@@ -41,33 +41,49 @@ testrun() {
 	testgpgv 'Good signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
 
+	testgpgv 'Good signed with long keyid and asserted' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024'
+	testgpgv 'Good signed with fingerprint and asserted' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024'
+
 	testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org>
 [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
 	testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org>
 [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
 
-	testgpgv 'Untrusted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+	testgpgv 'Untrusted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
 	testsuccess grep '^\s\+Good:\s\+$' method.output
-	testgpgv 'Untrusted signed with fingerprint' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+	testgpgv 'Untrusted signed with fingerprint' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
 	testsuccess grep '^\s\+Good:\s\+$' method.output
 
+	testgpgv 'Unasserted signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024'
+	testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (rsa1024)$' method.output
+	testgpgv 'Unaserted signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
+[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
+[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024'
+	testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (rsa1024)$' method.output
+
 	testgpgv 'Weak signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 2 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
-	testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak digest algorithm (SHA1)$' method.output
+	testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (SHA1)$' method.output
 	testgpgv 'Weak signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org>
 [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 2 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE'
-	testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak digest algorithm (SHA1)$' method.output
+	testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (SHA1)$' method.output
 
 	testgpgv 'No Pubkey with long keyid' 'NoPubKey: NO_PUBKEY E8525D47528144E2' '' '[GNUPG:] ERRSIG E8525D47528144E2 1 11 00 1472744666 9
 [GNUPG:] NO_PUBKEY E8525D47528144E2'
 	testgpgv 'No Pubkey with fingerprint' 'NoPubKey: NO_PUBKEY DE66AECA9151AFA1877EC31DE8525D47528144E2' '' '[GNUPG:] ERRSIG DE66AECA9151AFA1877EC31DE8525D47528144E2 1 11 00 1472744666 9
 [GNUPG:] NO_PUBKEY DE66AECA9151AFA1877EC31DE8525D47528144E2'
 
-	testgpgv 'Expired key with long keyid' 'Worthless: EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org>' '' '[GNUPG:] EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org>
+	testgpgv 'Expired key with long keyid' 'Worthless: EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org>, ' '' '[GNUPG:] EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org>
 [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742629 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9'
-	testgpgv 'Expired key with fingerprint' 'Worthless: EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>' '' '[GNUPG:] EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>
+	testgpgv 'Expired key with fingerprint' 'Worthless: EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>, ' '' '[GNUPG:] EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>
 [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742629 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9'
 }
 
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 5f873b82c..810427620 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -465,7 +465,7 @@ successfulaptgetupdate() {
 	if [ -n "$1" ]; then
 		testsuccess grep "$1" rootdir/tmp/testwarning.output
 	fi
-	testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output
+	testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output
 }
 runtest3 'Weak'
author	Julian Andres Klode <jak@debian.org>	2024-02-28 18:39:57 +0000
committer	Julian Andres Klode <jak@debian.org>	2024-02-28 18:39:57 +0000
commit	368a60cd267cb92be43c57a8cc92c77d5f7aeb50 (patch)
tree	b40fdb259e118c8c4e35231a8b8ca8ccb6283872
parent	010841260f7dce50ba407e23c5894e9017561ce2 (diff)
parent	66998ed3d299bede651ad40368bdb270f5f5b0f9 (diff)