diff options
| author | Julian Andres Klode <julian.klode@canonical.com> | 2024-02-28 15:14:43 +0100 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2024-02-28 18:22:01 +0100 |
| commit | 50e3fee26ae843a812b1c9ec8531946931773fd3 (patch) | |
| tree | 73a1089d24a2c8bf8542ff8aee181cf159d2fa72 /methods | |
| parent | 60d653634f889abe09c0f4d88f2559eab9202635 (diff) | |
Implement gpgv --assert-pubkey-algo=>=rsa2048,ed25519,ed448
The assertion can be overriden using apt::key::assert-pubkey-algo,
the default is the most opinionated one.
This will inform the user during apt-cdrom add as we do not
pass --quiet to user, so adjust test case.
Add a simple test case for it to test-method-gpgv.
LP: #2055193
Diffstat (limited to 'methods')
| -rw-r--r-- | methods/gpgv.cc | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc index b2e73c9fe..8b365b6d4 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -42,6 +42,7 @@ using std::vector; #define GNUPGNODATA "[GNUPG:] NODATA" #define GNUPGWARNING "[GNUPG:] WARNING" #define GNUPGERROR "[GNUPG:] ERROR" +#define GNUPGASSERT_PUBKEY_ALGO "[GNUPG:] ASSERT_PUBKEY_ALGO" #define APTKEYWARNING "[APTKEY:] WARNING" #define APTKEYERROR "[APTKEY:] ERROR" @@ -242,6 +243,25 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, PushEntryWithUID(Signers.Worthless, buffer, Debug); else if (strncmp(buffer, GNUPGREVKEYSIG, sizeof(GNUPGREVKEYSIG)-1) == 0) PushEntryWithUID(Signers.Worthless, buffer, Debug); + else if (strncmp(buffer, GNUPGASSERT_PUBKEY_ALGO, sizeof(GNUPGASSERT_PUBKEY_ALGO) - 1) == 0) + { + std::istringstream iss(buffer + sizeof(GNUPGASSERT_PUBKEY_ALGO)); + vector<string> tokens{std::istream_iterator<string>{iss}, + std::istream_iterator<string>{}}; + + auto const fpr = tokens[0]; + auto const asserted = atoi(tokens[1].c_str()); + auto const pkstr = tokens[2]; + if (not asserted) + { + std::string reason; + strprintf(reason, _("untrusted public key algorithm: %s"), pkstr.c_str()); + Signers.Worthless.push_back({fpr, reason}); + Signers.Good.erase(std::remove_if(Signers.Good.begin(), Signers.Good.end(), [&](std::string const &goodsig) + { return IsTheSameKey(fpr, goodsig); }), + Signers.Good.end()); + } + } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); else if (strncmp(buffer, GNUPGVALIDSIG, sizeof(GNUPGVALIDSIG)-1) == 0) |