diff options
| author | Julian Andres Klode <jak@debian.org> | 2024-12-07 16:44:18 +0100 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2024-12-22 23:51:22 +0100 |
| commit | da9a05e0b0b2150dbb67090e8b0c3922e46bd5cf (patch) | |
| tree | a777d725b72b0e2111b62ebed3412921d4ffe647 /apt-pkg/acquire-item.cc | |
| parent | b85dd910dcc68b710e1843e8b67935cc96c2a4c9 (diff) | |
methods: Add new sqv method
The new sqv method uses sequoia's sqv tool to verify files. The
tool's interface is quite simple: It returns 0 on success, and
prints one line per good signer with the fingerprint.
sqv has a configurable crypto policy. We have defined apt-specific
override mechanisms for sequoia's standard policy, allowing both
users, distributions, and apt package to provide overrides for
Sequoia's default policy in meaningful ways.
The sqv method will be built and be the standard method for
verifying OpenPGP signatures provided that `sqv` is in the
PATH during building. It is not built if there was no sqv
at build time, so you need a rebuild to enable sqv later
on.
On the flip side, the gpgv method is always built, but it
does need to be always built: If APT::Key::GPGVCommand is
set, we need to fallback to it - this is important to
support existing users of that interface such as
mmdebstrap. Also we want to fall back to it when /usr/bin/sqv
disappears - for example in our CI :D
A couple of concessions have been made for test suite purposes:
- Failure to split a clearsigned file only shows the summary,
as the gpgv method also only showed it, and no details why
it failed.
- We write "Got GOODSIG <fingerprint>" in debug mode to mimic
the gpgv code to keep the test suite happy.
- In various places in the test suite we assert minimal output
from sqv, but sqv's human output is not intended to be stable.
This will incur additional work when it breaks. However we do
not _parse_ the output, so actual operation of apt is unaffected.
A couple of things are suboptimal here:
- We are still doing clearsigned splitting ourselves. sqv only
has support for detached signatures right now, whereas sqopv
has support for clearsigned files as well (but sqopv does not
provide any reasons for why signature verification fails or
means to set a policy).
- Deprecation of algorithms happens on a timebomb basis in
sequoia. We have no means to give users warnings ahead of
time if their configuration is outdated.
We have implemented various bits that probably should be going away:
- Fallback to trusted.gpg
This is just annoying...
- Support for fingerprints in Signed-By (no subkey matching though)
The extra work here is arguably less compared to gpgv.
- Check the keyring for correctness.
With Signed-By everywhere, we should just error out rather than
skip broken keyrings.
Moo
Diffstat (limited to 'apt-pkg/acquire-item.cc')
| -rw-r--r-- | apt-pkg/acquire-item.cc | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 12524778e..69644883b 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1423,7 +1423,15 @@ string pkgAcqMetaBase::Custom600Headers() const void pkgAcqMetaBase::QueueForSignatureVerify(pkgAcqTransactionItem * const I, std::string const &File, std::string const &Signature) { AuthPass = true; +#ifdef SQV_EXECUTABLE + if (not _config->Find("APT::Key::GPGVCommand").empty() || not FileExists(SQV_EXECUTABLE)) + I->Desc.URI = "gpgv:" + pkgAcquire::URIEncode(Signature); + else { + I->Desc.URI = "sqv:" + pkgAcquire::URIEncode(Signature); + } +#else I->Desc.URI = "gpgv:" + pkgAcquire::URIEncode(Signature); +#endif I->DestFile = File; QueueURI(I->Desc); I->SetActiveSubprocess("gpgv"); |
