Merge branch 'pu/regression-2.4.0' into 'main'

gpgv: Fix legacy fallback on unavailable keys See merge request apt-team/apt!228
author: Julian Andres Klode <jak@debian.org> 2022-03-07 13:00:07 +0000
committer: Julian Andres Klode <jak@debian.org> 2022-03-07 13:00:07 +0000
commit: 3e57dc07fac417ff7007745510f0b35715045f70 (patch)
tree: 5606cbe824edbdb6dec96332bd4f60daa122e060 /methods/gpgv.cc
parent: d9ceab20a05e0d02ecd1038161965a7eaf8e4c06 (diff)
parent: 55452afa1e8eb3b252f76e455b49df5883e0b811 (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index fdd8586b4..b8d348484 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -429,7 +429,14 @@ string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outf
    string const msg = VerifyGetSigners(file, outfile, keyFpts, keyFiles, Signers);
    if (_error->PendingError())
       return msg;
-   if (keyFiles.empty() && (Signers.Good.empty() || !Signers.Bad.empty() || !Signers.NoPubKey.empty()))
+
+   // Bad signature always remains bad, no need to retry against trusted.gpg
+   if (!Signers.Bad.empty())
+      return msg;
+
+   // We do not have a key file pinned, did not find a good signature, but found
+   // missing keys - let's retry with trusted.gpg
+   if (keyFiles.empty() && Signers.Valid.empty() && !Signers.NoPubKey.empty())
    {
       std::vector<std::string> legacyKeyFiles{_config->FindFile("Dir::Etc::trusted")};
       if (legacyKeyFiles[0].empty())
@@ -437,14 +444,13 @@ string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outf
       if (DebugEnabled())
 	 std::clog << "Retrying against " << legacyKeyFiles[0] << "\n";
 
-      // Retry against trusted.gpg
       SignersStorage legacySigners;
 
       string const legacyMsg = VerifyGetSigners(file, outfile, keyFpts, legacyKeyFiles, legacySigners);
       if (_error->PendingError())
 	 return legacyMsg;
-      // Hooray, we found the key now
-      if (not(legacySigners.Good.empty() || !legacySigners.Bad.empty() || !legacySigners.NoPubKey.empty()))
+      // Hooray, we found a key apparently, something verified as good or bad
+      if (!legacySigners.Valid.empty() || !legacySigners.Bad.empty())
       {
 	 std::string warning;
 	 strprintf(warning,
author	Julian Andres Klode <jak@debian.org>	2022-03-07 13:00:07 +0000
committer	Julian Andres Klode <jak@debian.org>	2022-03-07 13:00:07 +0000
commit	3e57dc07fac417ff7007745510f0b35715045f70 (patch)
tree	5606cbe824edbdb6dec96332bd4f60daa122e060 /methods/gpgv.cc
parent	d9ceab20a05e0d02ecd1038161965a7eaf8e4c06 (diff)
parent	55452afa1e8eb3b252f76e455b49df5883e0b811 (diff)