diff options
| author | Julian Andres Klode <jak@debian.org> | 2024-07-30 04:18:02 +0000 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2024-07-30 04:18:02 +0000 |
| commit | d0e8f39437afdd557a8712047e1fc494fde9209e (patch) | |
| tree | 990fb521980b0fc7a005cadb0f2384b1dab4c52b /methods | |
| parent | 847c60af9eaa4b1dc3c6c3afa94bf494b721a1b7 (diff) | |
| parent | 47deb766c0a11c54d122197531279677545459af (diff) | |
Merge branch 'deprecate-pubkey-algos' into 'main'
Only revoke weak RSA keys now, add 'next' and 'future' levels
See merge request apt-team/apt!365
Diffstat (limited to 'methods')
| -rw-r--r-- | methods/aptmethod.h | 12 | ||||
| -rw-r--r-- | methods/gpgv.cc | 21 |
2 files changed, 31 insertions, 2 deletions
diff --git a/methods/aptmethod.h b/methods/aptmethod.h index 26b8c0b55..1c24f3a98 100644 --- a/methods/aptmethod.h +++ b/methods/aptmethod.h @@ -448,7 +448,7 @@ protected: return true; } - void Warning(std::string &&msg) + void Message(std::string &&msg, std::string code) { std::unordered_map<std::string, std::string> fields; if (Queue != 0) @@ -458,7 +458,15 @@ protected: if (not UsedMirror.empty()) fields.emplace("UsedMirror", UsedMirror); fields.emplace("Message", std::move(msg)); - SendMessage("104 Warning", std::move(fields)); + SendMessage(code, std::move(fields)); + } + void Warning(std::string &&msg) + { + return Message(std::move(msg), "104 Warning"); + } + void Audit(std::string &&msg) + { + return Message(std::move(msg), "105 Audit"); } bool TransferModificationTimes(char const * const From, char const * const To, time_t &LastModified) APT_NONNULL(2, 3) diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 20ef2861d..4a0866555 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -112,6 +112,7 @@ struct APT_HIDDEN SignersStorage { std::vector<Signer> Worthless; // a worthless signature is a expired or revoked one std::vector<Signer> SoonWorthless; + std::vector<Signer> LaterWorthless; std::vector<std::string> NoPubKey; std::vector<std::string> Valid; std::vector<std::string> SignedBy; @@ -261,6 +262,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, { return IsTheSameKey(fpr, goodsig); }), Signers.Good.end()); } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Next")) + { + std::string reason; + Signers.SoonWorthless.push_back({fpr, pkstr}); + } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Future")) + { + std::string reason; + strprintf(reason, _("%s will be deprecated in a future release"), pkstr.c_str()); + Signers.LaterWorthless.push_back({fpr, reason}); + } } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); @@ -420,6 +432,8 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, std::for_each(Signers.Worthless.begin(), Signers.Worthless.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; }); std::cerr << "\n SoonWorthless: "; std::for_each(Signers.SoonWorthless.begin(), Signers.SoonWorthless.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; }); + std::cerr << "\n LaterWorthless: "; + std::for_each(Signers.LaterWorthless.begin(), Signers.LaterWorthless.end(), [](Signer const &sig) { std::cerr << sig.key << ", "; }); std::cerr << "\n NoPubKey: "; implodeVector(Signers.NoPubKey, std::cerr, ", "); std::cerr << "\n Signed-By: "; @@ -565,6 +579,13 @@ bool GPGVMethod::URIAcquire(std::string const &Message, FetchItem *Itm) strprintf(msg, _("Signature by key %s uses weak algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str()); Warning(std::move(msg)); } + for (auto const &Signer : Signers.LaterWorthless) + { + std::string msg; + // TRANSLATORS: The second %s is the reason and is untranslated for repository owners. + strprintf(msg, _("Signature by key %s uses weak algorithm (%s)"), Signer.key.c_str(), Signer.note.c_str()); + Audit(std::move(msg)); + } } if (Signers.Good.empty() || !Signers.Bad.empty() || !Signers.NoPubKey.empty()) |
