diff options
| author | Julian Andres Klode <jak@debian.org> | 2024-07-30 04:18:02 +0000 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2024-07-30 04:18:02 +0000 |
| commit | d0e8f39437afdd557a8712047e1fc494fde9209e (patch) | |
| tree | 990fb521980b0fc7a005cadb0f2384b1dab4c52b /apt-pkg | |
| parent | 847c60af9eaa4b1dc3c6c3afa94bf494b721a1b7 (diff) | |
| parent | 47deb766c0a11c54d122197531279677545459af (diff) | |
Merge branch 'deprecate-pubkey-algos' into 'main'
Only revoke weak RSA keys now, add 'next' and 'future' levels
See merge request apt-team/apt!365
Diffstat (limited to 'apt-pkg')
| -rw-r--r-- | apt-pkg/acquire-worker.cc | 5 | ||||
| -rw-r--r-- | apt-pkg/contrib/gpgv.cc | 32 | ||||
| -rw-r--r-- | apt-pkg/contrib/gpgv.h | 1 | ||||
| -rw-r--r-- | apt-pkg/init.cc | 4 |
4 files changed, 41 insertions, 1 deletions
diff --git a/apt-pkg/acquire-worker.cc b/apt-pkg/acquire-worker.cc index 4f247cf84..696a3e0b8 100644 --- a/apt-pkg/acquire-worker.cc +++ b/apt-pkg/acquire-worker.cc @@ -200,6 +200,7 @@ enum class APT_HIDDEN MessageType STATUS = 102, REDIRECT = 103, WARNING = 104, + AUDIT = 105, URI_START = 200, URI_DONE = 201, AUX_REQUEST = 351, @@ -388,6 +389,10 @@ bool pkgAcquire::Worker::RunMessages() _error->Warning("%s: %s", Itm ? Itm->Owner ? Itm->Owner->DescURI().c_str() : Access.c_str() : Access.c_str(), LookupTag(Message, "Message").c_str()); break; + case MessageType::AUDIT: + _error->Audit("%s: %s", Itm ? Itm->Owner ? Itm->Owner->DescURI().c_str() : Access.c_str() : Access.c_str(), LookupTag(Message, "Message").c_str()); + break; + case MessageType::URI_START: { if (Itm == nullptr) diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc index 2fa5b0c30..225acae88 100644 --- a/apt-pkg/contrib/gpgv.cc +++ b/apt-pkg/contrib/gpgv.cc @@ -566,3 +566,35 @@ bool OpenMaybeClearSignedFile(std::string const &ClearSignedFileName, FileFd &Me return not MessageFile.Failed(); } /*}}}*/ +bool IsAssertedPubKeyAlgo(std::string const &pkstr, std::string const &option) /*{{{*/ +{ + auto fullAss = APT::String::Startswith(option, "APT::Key") ? _config->Find(option) : option; + for (auto &ass : VectorizeString(fullAss, ',')) + { + if (ass == pkstr) + return true; + // We only implement >= for rsa + if (APT::String::Startswith(ass, ">=rsa")) + { + if (not APT::String::Startswith(pkstr, "rsa")) + continue; + if (not std::all_of(ass.begin() + 5, ass.end(), isdigit)) + return _error->Error("Unrecognized public key specification '%s' in option %s: expect only digits after >=rsa", ass.c_str(), option.c_str()); + + int assBits = std::stoi(ass.substr(5)); + int pkBits = std::stoi(pkstr.substr(3)); + + if (pkBits >= assBits) + return true; + + continue; + } + if (ass.empty()) + return _error->Error("Empty item in public key assertion string option %s", option.c_str()); + if (not std::all_of(ass.begin(), ass.end(), [](char c) + { return isalpha(c) || isdigit(c); })) + return _error->Error("Unrecognized public key specification '%s' in option %s", ass.c_str(), option.c_str()); + } + return false; +} + /*}}}*/ diff --git a/apt-pkg/contrib/gpgv.h b/apt-pkg/contrib/gpgv.h index 1cabed4e6..1f3ef26f9 100644 --- a/apt-pkg/contrib/gpgv.h +++ b/apt-pkg/contrib/gpgv.h @@ -86,4 +86,5 @@ APT_PUBLIC bool SplitClearSignedFile(std::string const &InFile, FileFd * const C */ APT_PUBLIC bool OpenMaybeClearSignedFile(std::string const &ClearSignedFileName, FileFd &MessageFile); +APT_PUBLIC bool IsAssertedPubKeyAlgo(std::string const &pkstr, std::string const &option); #endif diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc index 487f94f20..d71d9541f 100644 --- a/apt-pkg/init.cc +++ b/apt-pkg/init.cc @@ -131,7 +131,9 @@ bool pkgInitConfig(Configuration &Cnf) Cnf.Set("APT::Build-Essential::", "build-essential"); Cnf.CndSet("APT::Install-Recommends", true); Cnf.CndSet("APT::Install-Suggests", false); - Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Next", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Future", ">=rsa3072,ed25519,ed448"); Cnf.CndSet("Dir","/"); // State |
