summaryrefslogtreecommitdiff
path: root/apt-pkg
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2024-07-30 04:18:02 +0000
committerJulian Andres Klode <jak@debian.org>2024-07-30 04:18:02 +0000
commitd0e8f39437afdd557a8712047e1fc494fde9209e (patch)
tree990fb521980b0fc7a005cadb0f2384b1dab4c52b /apt-pkg
parent847c60af9eaa4b1dc3c6c3afa94bf494b721a1b7 (diff)
parent47deb766c0a11c54d122197531279677545459af (diff)
Merge branch 'deprecate-pubkey-algos' into 'main'
Only revoke weak RSA keys now, add 'next' and 'future' levels See merge request apt-team/apt!365
Diffstat (limited to 'apt-pkg')
-rw-r--r--apt-pkg/acquire-worker.cc5
-rw-r--r--apt-pkg/contrib/gpgv.cc32
-rw-r--r--apt-pkg/contrib/gpgv.h1
-rw-r--r--apt-pkg/init.cc4
4 files changed, 41 insertions, 1 deletions
diff --git a/apt-pkg/acquire-worker.cc b/apt-pkg/acquire-worker.cc
index 4f247cf84..696a3e0b8 100644
--- a/apt-pkg/acquire-worker.cc
+++ b/apt-pkg/acquire-worker.cc
@@ -200,6 +200,7 @@ enum class APT_HIDDEN MessageType
STATUS = 102,
REDIRECT = 103,
WARNING = 104,
+ AUDIT = 105,
URI_START = 200,
URI_DONE = 201,
AUX_REQUEST = 351,
@@ -388,6 +389,10 @@ bool pkgAcquire::Worker::RunMessages()
_error->Warning("%s: %s", Itm ? Itm->Owner ? Itm->Owner->DescURI().c_str() : Access.c_str() : Access.c_str(), LookupTag(Message, "Message").c_str());
break;
+ case MessageType::AUDIT:
+ _error->Audit("%s: %s", Itm ? Itm->Owner ? Itm->Owner->DescURI().c_str() : Access.c_str() : Access.c_str(), LookupTag(Message, "Message").c_str());
+ break;
+
case MessageType::URI_START:
{
if (Itm == nullptr)
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index 2fa5b0c30..225acae88 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -566,3 +566,35 @@ bool OpenMaybeClearSignedFile(std::string const &ClearSignedFileName, FileFd &Me
return not MessageFile.Failed();
}
/*}}}*/
+bool IsAssertedPubKeyAlgo(std::string const &pkstr, std::string const &option) /*{{{*/
+{
+ auto fullAss = APT::String::Startswith(option, "APT::Key") ? _config->Find(option) : option;
+ for (auto &ass : VectorizeString(fullAss, ','))
+ {
+ if (ass == pkstr)
+ return true;
+ // We only implement >= for rsa
+ if (APT::String::Startswith(ass, ">=rsa"))
+ {
+ if (not APT::String::Startswith(pkstr, "rsa"))
+ continue;
+ if (not std::all_of(ass.begin() + 5, ass.end(), isdigit))
+ return _error->Error("Unrecognized public key specification '%s' in option %s: expect only digits after >=rsa", ass.c_str(), option.c_str());
+
+ int assBits = std::stoi(ass.substr(5));
+ int pkBits = std::stoi(pkstr.substr(3));
+
+ if (pkBits >= assBits)
+ return true;
+
+ continue;
+ }
+ if (ass.empty())
+ return _error->Error("Empty item in public key assertion string option %s", option.c_str());
+ if (not std::all_of(ass.begin(), ass.end(), [](char c)
+ { return isalpha(c) || isdigit(c); }))
+ return _error->Error("Unrecognized public key specification '%s' in option %s", ass.c_str(), option.c_str());
+ }
+ return false;
+}
+ /*}}}*/
diff --git a/apt-pkg/contrib/gpgv.h b/apt-pkg/contrib/gpgv.h
index 1cabed4e6..1f3ef26f9 100644
--- a/apt-pkg/contrib/gpgv.h
+++ b/apt-pkg/contrib/gpgv.h
@@ -86,4 +86,5 @@ APT_PUBLIC bool SplitClearSignedFile(std::string const &InFile, FileFd * const C
*/
APT_PUBLIC bool OpenMaybeClearSignedFile(std::string const &ClearSignedFileName, FileFd &MessageFile);
+APT_PUBLIC bool IsAssertedPubKeyAlgo(std::string const &pkstr, std::string const &option);
#endif
diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index 487f94f20..d71d9541f 100644
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -131,7 +131,9 @@ bool pkgInitConfig(Configuration &Cnf)
Cnf.Set("APT::Build-Essential::", "build-essential");
Cnf.CndSet("APT::Install-Recommends", true);
Cnf.CndSet("APT::Install-Suggests", false);
- Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Next", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512");
+ Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Future", ">=rsa3072,ed25519,ed448");
Cnf.CndSet("Dir","/");
// State