diff options
| author | Julian Andres Klode <julian.klode@canonical.com> | 2024-07-15 19:13:58 +0200 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2024-07-15 19:17:55 +0200 |
| commit | 47deb766c0a11c54d122197531279677545459af (patch) | |
| tree | 8c4209613689b1faa69c0f61f4eb6e5801522935 /methods | |
| parent | 29dd6c45bc2579d012ac78ba3100a2485c78ff1d (diff) | |
Only revoke weak RSA keys for now, add 'next' and 'future' levels
Algorithms not in the next level give a warning, algorithms
in not in the future level introduce an audit message for
the --audit flag.
next: >=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512
future: >=rsa3072,ed25519,ed448
LP: #2073126
Diffstat (limited to 'methods')
| -rw-r--r-- | methods/gpgv.cc | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc index fc37b83dc..4a0866555 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -262,6 +262,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, { return IsTheSameKey(fpr, goodsig); }), Signers.Good.end()); } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Next")) + { + std::string reason; + Signers.SoonWorthless.push_back({fpr, pkstr}); + } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Future")) + { + std::string reason; + strprintf(reason, _("%s will be deprecated in a future release"), pkstr.c_str()); + Signers.LaterWorthless.push_back({fpr, reason}); + } } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); |
