diff options
| author | Julian Andres Klode <julian.klode@canonical.com> | 2024-02-28 15:14:43 +0100 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2024-02-28 18:22:01 +0100 |
| commit | 50e3fee26ae843a812b1c9ec8531946931773fd3 (patch) | |
| tree | 73a1089d24a2c8bf8542ff8aee181cf159d2fa72 /cmdline | |
| parent | 60d653634f889abe09c0f4d88f2559eab9202635 (diff) | |
Implement gpgv --assert-pubkey-algo=>=rsa2048,ed25519,ed448
The assertion can be overriden using apt::key::assert-pubkey-algo,
the default is the most opinionated one.
This will inform the user during apt-cdrom add as we do not
pass --quiet to user, so adjust test case.
Add a simple test case for it to test-method-gpgv.
LP: #2055193
Diffstat (limited to 'cmdline')
| -rw-r--r-- | cmdline/apt-key.in | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 4f3e9c8e1..07522723b 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -800,7 +800,8 @@ case "$command" in ;; verify) GPGV='' - eval $(apt-config shell GPGV Apt::Key::gpgvcommand) + ASSERT_PUBKEY_ALGO='' + eval $(apt-config shell GPGV Apt::Key::gpgvcommand ASSERT_PUBKEY_ALGO Apt::Key::assert-pubkey-algo) if [ -n "$GPGV" ] && command_available "$GPGV"; then true; elif command_available 'gpgv'; then GPGV='gpgv'; elif command_available 'gpgv2'; then GPGV='gpgv2'; @@ -809,6 +810,20 @@ case "$command" in apt_error 'gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed' exit 29 fi + GPGV_ARGS="" + if [ "$ASSERT_PUBKEY_ALGO" ]; then + test="$(LC_ALL=C.UTF-8 "$GPGV" --assert-pubkey-algo 2>&1 || :)" + case "$test" in + *"missing argument"*) + GPGV_ARGS="--assert-pubkey-algo=$ASSERT_PUBKEY_ALGO" + ;; + *[Ii]"nvalid option"*"assert-pubkey-algo"*) + ;; + *) + apt_warn "Unknown response from gpgv to --assert-pubkey-algo check: $test" + ;; + esac + fi # for a forced keyid we need gpg --export, so full wrapping required if [ -n "$FORCED_KEYID" ]; then prepare_gpg_home @@ -817,9 +832,9 @@ case "$command" in fi setup_merged_keyring if [ -n "$FORCED_KEYRING" ]; then - "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@" + "$GPGV" $GPGV_ARGS --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@" else - "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" + "$GPGV" $GPGV_ARGS --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" fi ;; help) |