diff options
author | Julian Andres Klode <jak@debian.org> | 2024-02-28 18:39:57 +0000 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2024-02-28 18:39:57 +0000 |
commit | 368a60cd267cb92be43c57a8cc92c77d5f7aeb50 (patch) | |
tree | b40fdb259e118c8c4e35231a8b8ca8ccb6283872 | |
parent | 010841260f7dce50ba407e23c5894e9017561ce2 (diff) | |
parent | 66998ed3d299bede651ad40368bdb270f5f5b0f9 (diff) |
Merge branch 'gpgv-improvements' into 'main'
Assert >=2048-bit RSA keys, Ed25519, Ed448, and some improvements to diagnostic reporting
See merge request apt-team/apt!322
-rw-r--r-- | apt-pkg/init.cc | 1 | ||||
-rw-r--r-- | cmdline/apt-key.in | 21 | ||||
-rw-r--r-- | doc/examples/configure-index | 1 | ||||
-rw-r--r-- | methods/gpgv.cc | 56 | ||||
-rwxr-xr-x | test/integration/test-apt-cdrom | 20 | ||||
-rwxr-xr-x | test/integration/test-method-gpgv | 28 | ||||
-rwxr-xr-x | test/integration/test-releasefile-verification | 2 |
7 files changed, 111 insertions, 18 deletions
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc index f1742c019..75935404f 100644 --- a/apt-pkg/init.cc +++ b/apt-pkg/init.cc @@ -131,6 +131,7 @@ bool pkgInitConfig(Configuration &Cnf) Cnf.Set("APT::Build-Essential::", "build-essential"); Cnf.CndSet("APT::Install-Recommends", true); Cnf.CndSet("APT::Install-Suggests", false); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448"); Cnf.CndSet("Dir","/"); // State diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 4f3e9c8e1..07522723b 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -800,7 +800,8 @@ case "$command" in ;; verify) GPGV='' - eval $(apt-config shell GPGV Apt::Key::gpgvcommand) + ASSERT_PUBKEY_ALGO='' + eval $(apt-config shell GPGV Apt::Key::gpgvcommand ASSERT_PUBKEY_ALGO Apt::Key::assert-pubkey-algo) if [ -n "$GPGV" ] && command_available "$GPGV"; then true; elif command_available 'gpgv'; then GPGV='gpgv'; elif command_available 'gpgv2'; then GPGV='gpgv2'; @@ -809,6 +810,20 @@ case "$command" in apt_error 'gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed' exit 29 fi + GPGV_ARGS="" + if [ "$ASSERT_PUBKEY_ALGO" ]; then + test="$(LC_ALL=C.UTF-8 "$GPGV" --assert-pubkey-algo 2>&1 || :)" + case "$test" in + *"missing argument"*) + GPGV_ARGS="--assert-pubkey-algo=$ASSERT_PUBKEY_ALGO" + ;; + *[Ii]"nvalid option"*"assert-pubkey-algo"*) + ;; + *) + apt_warn "Unknown response from gpgv to --assert-pubkey-algo check: $test" + ;; + esac + fi # for a forced keyid we need gpg --export, so full wrapping required if [ -n "$FORCED_KEYID" ]; then prepare_gpg_home @@ -817,9 +832,9 @@ case "$command" in fi setup_merged_keyring if [ -n "$FORCED_KEYRING" ]; then - "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@" + "$GPGV" $GPGV_ARGS --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@" else - "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" + "$GPGV" $GPGV_ARGS --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" fi ;; help) diff --git a/doc/examples/configure-index b/doc/examples/configure-index index f37b7696c..da4998b4d 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -762,6 +762,7 @@ apt::key::gpgcommand "<STRING>"; apt::key::masterkeyring "<STRING>"; apt::key::archivekeyringuri "<STRING>"; apt::key::net-update-enabled "<STRING>"; +apt::key::assert-pubkey-algo "<STRING>"; apt::ftparchive::release::patterns "<LIST>"; apt::ftparchive::release::validtime "<INT>"; diff --git a/methods/gpgv.cc b/methods/gpgv.cc index f89aa8d2e..e465c3595 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -40,6 +40,9 @@ using std::vector; #define GNUPGEXPSIG "[GNUPG:] EXPSIG" #define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG" #define GNUPGNODATA "[GNUPG:] NODATA" +#define GNUPGWARNING "[GNUPG:] WARNING" +#define GNUPGERROR "[GNUPG:] ERROR" +#define GNUPGASSERT_PUBKEY_ALGO "[GNUPG:] ASSERT_PUBKEY_ALGO" #define APTKEYWARNING "[APTKEY:] WARNING" #define APTKEYERROR "[APTKEY:] ERROR" @@ -106,7 +109,7 @@ static bool IsTheSameKey(std::string const &validsig, std::string const &goodsig struct APT_HIDDEN SignersStorage { std::vector<std::string> Good; std::vector<std::string> Bad; - std::vector<std::string> Worthless; + std::vector<Signer> Worthless; // a worthless signature is a expired or revoked one std::vector<Signer> SoonWorthless; std::vector<std::string> NoPubKey; @@ -158,6 +161,16 @@ static void PushEntryWithUID(std::vector<std::string> &Signers, char * const buf std::clog << "Got " << msg << " !" << std::endl; Signers.push_back(msg); } +static void PushEntryWithUID(std::vector<Signer> &Signers, char * const buffer, bool const Debug) +{ + std::string msg = buffer + sizeof(GNUPGPREFIX); + auto const nuke = msg.find_last_not_of("\n\t\r"); + if (nuke != std::string::npos) + msg.erase(nuke + 1); + if (Debug == true) + std::clog << "Got " << msg << " !" << std::endl; + Signers.push_back({msg, ""}); +} static void implodeVector(std::vector<std::string> const &vec, std::ostream &out, char const * const sep) { if (vec.empty()) @@ -230,6 +243,18 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, PushEntryWithUID(Signers.Worthless, buffer, Debug); else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0) PushEntryWithUID(Signers.Worthless, buffer, Debug); + else if (strncmp(buffer, GNUPGASSERT_PUBKEY_ALGO, sizeof(GNUPGASSERT_PUBKEY_ALGO) - 1) == 0) + { + std::istringstream iss(buffer + sizeof(GNUPGASSERT_PUBKEY_ALGO)); + vector<string> tokens{std::istream_iterator<string>{iss}, + std::istream_iterator<string>{}}; + + auto const fpr = tokens[0]; + auto const asserted = atoi(tokens[1].c_str()); + auto const pkstr = tokens[2]; + if (not asserted) + Signers.SoonWorthless.push_back({fpr, pkstr}); + } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0) @@ -251,7 +276,11 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, case Digest::State::Untrusted: // Treat them like an expired key: For that a message about expiry // is emitted, a VALIDSIG, but no GOODSIG. - Signers.Worthless.push_back(sig); + { + std::string note; + strprintf(note, "untrusted digest algorithm: %s", digest.name); + Signers.Worthless.push_back({sig, note}); + } Signers.Good.erase(std::remove_if(Signers.Good.begin(), Signers.Good.end(), [&](std::string const &goodsig) { return IsTheSameKey(sig, goodsig); }), Signers.Good.end()); if (Debug == true) @@ -269,6 +298,13 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, if (tokens.size() > 9 && sig != tokens[9]) SubKeyMapping[tokens[9]].emplace_back(sig); } + else if (strncmp(buffer, GNUPGWARNING, sizeof(GNUPGWARNING)-1) == 0) { + std::string warning; + strprintf(warning, "GPG: %s", buffer + sizeof(GNUPGWARNING)); + Warning(std::move(warning)); + } + else if (strncmp(buffer, GNUPGERROR, sizeof(GNUPGERROR)-1) == 0) + _error->Error("GPG: %s", buffer + sizeof(GNUPGERROR)); else if (strncmp(buffer, APTKEYWARNING, sizeof(APTKEYWARNING)-1) == 0) Warning(buffer + sizeof(APTKEYWARNING)); else if (strncmp(buffer, APTKEYERROR, sizeof(APTKEYERROR)-1) == 0) @@ -276,7 +312,9 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, } fclose(pipein); free(buffer); - std::move(ErrSigners.begin(), ErrSigners.end(), std::back_inserter(Signers.Worthless)); + + for (auto errSigner : ErrSigners) + Signers.Worthless.push_back({errSigner, ""}); // apt-key has a --keyid parameter, but this requires gpg, so we call it without it // and instead check after the fact which keyids where used for verification @@ -372,7 +410,7 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, std::cerr << "\n Bad: "; implodeVector(Signers.Bad, std::cerr, ", "); std::cerr << "\n Worthless: "; - implodeVector(Signers.Worthless, std::cerr, ", "); + std::for_each(Signers.Worthless.begin(), Signers.Worthless.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; }); std::cerr << "\n SoonWorthless: "; std::for_each(Signers.SoonWorthless.begin(), Signers.SoonWorthless.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; }); std::cerr << "\n NoPubKey: "; @@ -517,7 +555,7 @@ bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm) { std::string msg; // TRANSLATORS: The second %s is the reason and is untranslated for repository owners. - strprintf(msg, _("Signature by key %s uses weak digest algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str()); + strprintf(msg, _("Signature by key %s uses weak algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str()); Warning(std::move(msg)); } } @@ -540,8 +578,12 @@ bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm) if (!Signers.Worthless.empty()) { errmsg += _("The following signatures were invalid:\n"); - for (auto const &I : Signers.Worthless) - errmsg.append(I).append("\n"); + for (auto const &[key, reason] : Signers.Worthless) { + errmsg.append(key); + if (not reason.empty()) + errmsg.append(" (").append(reason).append(")"); + errmsg.append("\n"); + } } if (!Signers.NoPubKey.empty()) { diff --git a/test/integration/test-apt-cdrom b/test/integration/test-apt-cdrom index 01680c461..e8ccb10a4 100755 --- a/test/integration/test-apt-cdrom +++ b/test/integration/test-apt-cdrom @@ -40,6 +40,24 @@ aptcdromlog() { } aptautotest_aptcdromlog_add() { aptautotest_aptget_update "$@"; } + +msgtest "Checking --assert-pubkey-algo support" +gpgv_msg="" +test="$(LC_ALL=C.UTF-8 gpgv --assert-pubkey-algo 2>&1 || :)" +case "$test" in + *"missing argument"*) + gpgv_msg=" +gpgv: asserted signer '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' with algo rsa2048" + msgpass + ;; + *[Ii]"nvalid option"*"assert-pubkey-algo"*) + msgskip + ;; + *) + msgfail "Unknown response from gpgv to --assert-pubkey-algo check: $test" + ;; +esac + CDROM_PRE="Using CD-ROM mount point $(readlink -f ./rootdir/media)/cdrom/ Unmounting CD-ROM... Waiting for disc... @@ -47,7 +65,7 @@ Please insert a Disc in the drive and press [Enter] Mounting CD-ROM... Scanning disc for index files..." CDROM_POST="This disc is called: -'Debian APT Testdisk 0.8.15' +'Debian APT Testdisk 0.8.15'$gpgv_msg Writing new source list Source list entries for this disc are: deb cdrom:[Debian APT Testdisk 0.8.15]/ stable main diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv index bfa5af4c2..4793b012e 100755 --- a/test/integration/test-method-gpgv +++ b/test/integration/test-method-gpgv @@ -41,33 +41,49 @@ testrun() { testgpgv 'Good signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' + testgpgv 'Good signed with long keyid and asserted' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024' + testgpgv 'Good signed with fingerprint and asserted' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024' + testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey <subkey@example.org> [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey <subkey@example.org> [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' - testgpgv 'Untrusted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + testgpgv 'Untrusted signed with long keyid' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccess grep '^\s\+Good:\s\+$' method.output - testgpgv 'Untrusted signed with fingerprint' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> + testgpgv 'Untrusted signed with fingerprint' 'Worthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 1 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testsuccess grep '^\s\+Good:\s\+$' method.output + testgpgv 'Unasserted signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024' + testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (rsa1024)$' method.output + testgpgv 'Unaserted signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 0 rsa1024' + testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (rsa1024)$' method.output + testgpgv 'Weak signed with long keyid' 'Good: GOODSIG 5A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 2 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' - testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak digest algorithm (SHA1)$' method.output + testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (SHA1)$' method.output testgpgv 'Weak signed with fingerprint' 'Good: GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) <joe@example.org> [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 2 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' - testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak digest algorithm (SHA1)$' method.output + testsuccess grep '^Message: Signature by key 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE uses weak algorithm (SHA1)$' method.output testgpgv 'No Pubkey with long keyid' 'NoPubKey: NO_PUBKEY E8525D47528144E2' '' '[GNUPG:] ERRSIG E8525D47528144E2 1 11 00 1472744666 9 [GNUPG:] NO_PUBKEY E8525D47528144E2' testgpgv 'No Pubkey with fingerprint' 'NoPubKey: NO_PUBKEY DE66AECA9151AFA1877EC31DE8525D47528144E2' '' '[GNUPG:] ERRSIG DE66AECA9151AFA1877EC31DE8525D47528144E2 1 11 00 1472744666 9 [GNUPG:] NO_PUBKEY DE66AECA9151AFA1877EC31DE8525D47528144E2' - testgpgv 'Expired key with long keyid' 'Worthless: EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org>' '' '[GNUPG:] EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org> + testgpgv 'Expired key with long keyid' 'Worthless: EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org>, ' '' '[GNUPG:] EXPKEYSIG 4BC0A39C27CE74F9 Rex Expired <rex@example.org> [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742629 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9' - testgpgv 'Expired key with fingerprint' 'Worthless: EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>' '' '[GNUPG:] EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org> + testgpgv 'Expired key with fingerprint' 'Worthless: EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org>, ' '' '[GNUPG:] EXPKEYSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 Rex Expired <rex@example.org> [GNUPG:] VALIDSIG 891CC50E605796A0C6E733F74BC0A39C27CE74F9 2016-09-01 1472742629 0 4 0 1 11 00 891CC50E605796A0C6E733F74BC0A39C27CE74F9' } diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 5f873b82c..810427620 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -465,7 +465,7 @@ successfulaptgetupdate() { if [ -n "$1" ]; then testsuccess grep "$1" rootdir/tmp/testwarning.output fi - testsuccess grep 'uses weak digest algorithm' rootdir/tmp/testwarning.output + testsuccess grep 'uses weak algorithm' rootdir/tmp/testwarning.output } runtest3 'Weak' |