summaryrefslogtreecommitdiff
path: root/methods/gpgv.cc
Commit message (Collapse)AuthorAgeFilesLines
* support multiple fingerprints in signed-byDavid Kalnischkies2016-05-011-13/+17
| | | | | A keyring file can include multiple keys, so its only fair for transitions and such to support multiple fingerprints as well.
* gpgv: cleanup statusfd parsing a bitDavid Kalnischkies2016-05-011-57/+45
| | | | | | | | | | | We parse the messages we receive into two big categories: Most of the messages have a keyid as well as a userid and as they are errors we want to show the userids as well. The other category is also errors, but have no userid (like NO_PUBKEY). Explicitly expressing this in code should make it a bit easier to look at and it also help in dropping additional fields or just the newline at the end consistently. Git-Dch: Ignore
* don't show NO_PUBKEY warning if repo is signed by another keyDavid Kalnischkies2016-05-011-4/+4
| | | | | | | | | | | | | | | Daniel Kahn Gillmor highlights in the bugreport that security isn't improving by having the user import additional keys – especially as importing keys securely is hard. The bugreport was initially about dropping the warning to a notice, but in given the previously mentioned observation and the fact that we weren't printing a warning (or a notice) for expired or revoked keys providing a signature we drop it completely as the code to display a message if this was the only key is in another path – and is considered critical. Closes: 618445
* gpgv: handle expired sig as worthlessDavid Kalnischkies2016-05-011-0/+7
| | | | | | | Signatures on data can have an expiration date, too, which we hadn't handled previously explicitly (no problem – gpg still has a non-zero exit code so apt notices the invalid signature) so the error message wasn't as helpful as it could be (aka mentioning the key signing it).
* gpgv: use EXPKEYSIG instead of KEYEXPIREDDavid Kalnischkies2016-05-011-3/+3
| | | | | | The upstream documentation says about KEYEXPIRED: "This status line is not very useful". Indeed, it doesn't mention which key is expired, and suggests to use the other message which does.
* Allow lowering trust level of a hash via configJulian Andres Klode2016-03-281-12/+12
| | | | | | Introduces APT::Hashes::<NAME> with entries Untrusted and Weak which can be set to true to cause the hash to be treated as untrusted and/or weak.
* handle gpgv's weak-digests ERRSIGDavid Kalnischkies2016-03-221-7/+50
| | | | | | | | | | | Our own gpgv method can declare a digest algorithm as untrusted and handles these as worthless signatures. If gpgv comes with inbuilt untrusted (which is called weak in official terminology) which it e.g. does for MD5 in recent versions we should handle it in the same way. To check this we use the most uncommon still fully trusted hash as a configureable one via a hidden config option to toggle through all of the three states a hash can be in.
* properly check for "all good sigs are weak"David Kalnischkies2016-03-211-9/+14
| | | | | | | | | | Using erase(pos) is invalid in our case here as pos must be a valid and derefenceable iterator, which isn't the case for an end-iterator (like if we had no good signature). The problem runs deeper still through as VALIDSIG is a keyid while GOODSIG is just a longid so comparing them will always fail. Closes: 818910
* Make the weak signature message less ambigiousJulian Andres Klode2016-03-161-1/+1
| | | | | | | | There was a complaint that, in the previous message, the key fingerprint could be mistaken for a SHA1 digest due to the (SHA1) after it. Gbp-Dch: ignore
* methods/gpgv: Rewrite error handling and messageJulian Andres Klode2016-03-161-19/+50
| | | | | | | This should be easy to extend in the future and allow us to simplify the error handling cases somewhat. Thanks: Ron Lee for wording suggestions
* methods/gpgv: Warn about SHA1 (and RIPEMD-160)Julian Andres Klode2016-03-151-3/+29
| | | | | | | We will drop support for those in the future. Also adjust the std::array to be a std::vector, as that's easier to maintain.
* methods/gpgv: Correctly handle weak signatures with multiple keysJulian Andres Klode2016-03-151-1/+6
| | | | | | | | | | | | We added weak signatures to BadSigners, meaning that a Release file signed by both a weak signature and a strong signature would be rejected; preventing people from migrating from DSA to RSA keys in a sane way. Instead of using BadSigners, treat weak signatures like expired keys: They are no good signatures, and they are worthless. Gbp-Dch: ignore
* methods/gpgv: Reject weak digest algorithmsJulian Andres Klode2016-03-141-0/+16
| | | | | This keeps a list of weak digest algorithms. For now, only MD5 is disabled, as SHA1 breaks to many repos.
* Revert "Handle ERRSIG in the gpgv method like BADSIG"Julian Andres Klode2016-03-141-7/+0
| | | | | | | | This reverts commit 76a71a1237d22c1990efbc19ce0e02aacf572576. That commit broke the test suite. Gbp-Dch: ignore
* Handle ERRSIG in the gpgv method like BADSIGJulian Andres Klode2016-03-141-0/+7
| | | | | | | | | | | | ERRSIG is created whenever a key uses an unknown/weak digest algorithm, for example. This allows us to report a more useful error than just "unknown apt-key error.": The following signatures were invalid: ERRSIG 13B00F1FD2C19886 1 2 01 1457609403 5 While still not being the best reportable error message, it's better than unknown apt-key error and hopefully redirects users to complain to their repository owners.
* allow acquire method specific options via Binary scopeDavid Kalnischkies2015-11-051-13/+3
| | | | | | | | Allows users who know what they are getting themselves into with this trick to e.g. disable privilege dropping for e.g. file:// until they can fix up the permissions on those repositories. It helps also the test framework and people with a similar setup (= me) to run in less modified environments.
* add c++11 override marker to overridden methodsDavid Kalnischkies2015-08-101-2/+2
| | | | | | | | | C++11 adds the 'override' specifier to mark that a method is overriding a base class method and error out if not. We hide it in the APT_OVERRIDE macro to ensure that we keep compiling in pre-c++11 standards. Reported-By: clang-modernize -add-override -override-macros Git-Dch: Ignore
* implement Signed-By without using gpg for verificationDavid Kalnischkies2015-08-101-9/+60
| | | | | | | | | | The previous commit returns to the possibility of using just gpgv for verification proposes. There is one problem through: We can't enforce a specific keyid without using gpg, but our acquire method can as it parses gpgv output anyway, so it can deal with good signatures from not expected signatures and treats them as unknown keys instead. Git-Dch: Ignore
* implement Signed-By option for sources.listDavid Kalnischkies2015-08-101-8/+10
| | | | | | | | | | Limits which key(s) can be used to sign a repository. Not immensely useful from a security perspective all by itself, but if the user has additional measures in place to confine a repository (like pinning) an attacker who gets the key for such a repository is limited to its potential and can't use the key to sign its attacks for an other (maybe less limited) repository… (yes, this is as weak as it sounds, but having the capability might come in handy for implementing other stuff later).
* use getline() instead of rolling our ownDavid Kalnischkies2014-11-091-26/+5
| | | | | | | | We use it in other places already as well even though it is farly new addition to the POSIX family with 2008, but rolling our own here is really something which should be avoided in such a important method. Git-Dch: Ignore
* Fix backward compatiblity of the new pkgAcquireMethod::DropPrivsOrDie()Michael Vogt2014-10-131-3/+11
| | | | | | | | Do not drop privileges in the methods when using a older version of libapt that does not support the chown magic in partial/ yet. To do this DropPrivileges() now will ignore a empty Apt::Sandbox::User. Cleanup all hardcoded _apt along the way.
* Merge remote-tracking branch 'upstream/debian/experimental' into ↵Michael Vogt2014-09-291-5/+5
|\ | | | | | | | | | | | | | | | | feature/acq-trans Conflicts: apt-pkg/acquire-item.cc apt-pkg/acquire-item.h methods/gpgv.cc
| * correct the error messages to refer to apt-key instead of gpgvDavid Kalnischkies2014-09-271-6/+6
| | | | | | | | Git-Dch: Ignore
* | Merge remote-tracking branch 'upstream/debian/experimental' into ↵Michael Vogt2014-09-251-1/+4
|\| | | | | | | feature/acq-trans
| * methods: Fail if we cannot drop privilegesJulian Andres Klode2014-09-241-2/+2
| |
| * Drop Privileges to "Debian-apt" in most acquire methodsMichael Vogt2014-09-241-0/+3
| | | | | | | | | | | | | | | | | | Add a new "Debian-apt" user that owns the /var/lib/apt/lists and /var/cache/apt/archive directories. The methods http, https, ftp, gpgv, gzip switch to this user when they start. Thanks to Julian and "ioerror" and tors "switch_id()" code.
* | Download Release first, then Release.gpgMichael Vogt2014-07-211-1/+1
|/ | | | | | | The old way of handling this was that pkgAcqMetaIndex was responsible to check/move both Release and Release.gpg in place. This breaks the assumption of the transaction that each pkgAcquire::Item has a single File that its responsible for.
* cleanup headers and especially #includes everywhereDavid Kalnischkies2014-03-131-7/+9
| | | | | | | | Beside being a bit cleaner it hopefully also resolves oddball problems I have with high levels of parallel jobs. Git-Dch: Ignore Reported-By: iwyu (include-what-you-use)
* fix various style/performance warnings in rredDavid Kalnischkies2014-01-301-1/+0
| | | | | Reported-By: cppcheck Git-Dch: Ignore
* add missing "free(buffer) for allocated bufferMichael Vogt2013-07-251-0/+1
|
* trigger NODATA error for invalid InRelease filesDavid Kalnischkies2013-06-201-9/+7
| | | | | | | | | | | | | | | | | With the selfgrown splitting we got the problem of not recovering from networks which just reply with invalid data like those sending us login pages to authenticate with the network (e.g. hotels) back. The good thing about the InRelease file is that we know that it must be clearsigned (a Release file might or might not have a detached sig) so if we get a file but are unable to split it something is seriously wrong, so there is not much point in trying further. The Acquire system already looks out for a NODATA error from gpgv, so this adds a new error message sent to the acquire system in case the splitting we do now ourselves failed including this magic word. Closes: #712486
* * apt-pkg/contrib/gpgv.cc:David Kalnischkies2013-03-151-13/+1
| | | | - ExecGPGV is a method which should never return, so mark it as such and fix the inconsistency of returning in error cases
* * apt-pkg/indexcopy.cc:David Kalnischkies2013-03-151-1/+2
| | | - rename RunGPGV to ExecGPGV and move it to apt-pkg/contrib/gpgv.cc
* fix a few esoteric cppcheck errors/warnings/infosDavid Kalnischkies2012-01-201-2/+10
|
* use forward declaration in headers if possible instead of includesDavid Kalnischkies2011-09-191-0/+1
|
* do not pollute namespace in the headers with using (Closes: #500198)David Kalnischkies2011-09-191-0/+3
|
* merge with debian/experimentalDavid Kalnischkies2011-09-131-3/+3
|\
| * cppcheck complains about some possible speed improvements which could beDavid Kalnischkies2011-08-111-3/+3
| | | | | | | | | | | | done on the mirco-optimazation level, so lets fix them: (performance) Possible inefficient checking for emptiness. (performance) Prefer prefix ++/-- operators for non-primitive types.
* | reorder includes: add <config.h> if needed and include it at firstDavid Kalnischkies2011-09-131-2/+4
|/
* fix from David Kalnischkies for the InRelease gpg verification Michael Vogt2011-07-131-5/+8
| | | code (LP: #784473)
* * apt-pkg/init.cc:David Kalnischkies2010-08-191-1/+1
| | | - set the default values for dir::etc::trusted options correctly
* enhance the split out of the gpgv commandline mangling by splitting outDavid Kalnischkies2010-06-091-41/+10
| | | | the call completely
* * apt-pkg/indexcopy.cc:David Kalnischkies2010-06-091-41/+6
| | | - move the gpg codecopy to a new method and use it also in methods/gpgv.cc
* * methods/gpgv.cc:David Kalnischkies2010-05-121-25/+17
| | | - remove the keyrings count limit by using vector magic
* * French manpage translation updateMichael Vogt2010-01-081-44/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | * spot & fix various typos in all manpages * German manpage translation update * cmdline/apt-cache.cc: - remove translatable marker from the "%4i %s\n" string * buildlib/po4a_manpage.mak: - instruct debiandoc to build files with utf-8 encoding * buildlib/tools.m4: - fix some warning from the buildtools * apt-pkg/acquire-item.cc: - add configuration PDiffs::Limit-options to not download too many or too big patches (Closes: #554349) * debian/control: - let all packages depend on ${misc:Depends} * share/*-archive.gpg: - remove the horrible outdated files. We already depend on the keyring so we don't need to ship our own version * cmdline/apt-key: - errors out if wget is not installed (Closes: #545754) - add --keyring option as we have now possibly many * methods/gpgv.cc: - pass all keyrings (TrustedParts) to gpgv instead of using only one trusted.gpg keyring (Closes: #304846) * methods/https.cc: - finally merge the rest of the patchset from Arnaud Ebalard with the CRL and Issuers options, thanks! (Closes: #485963)
* * methods/gpgv.cc:Michael Vogt2009-04-081-6/+34
| | | - properly check for expired and revoked keys (closes: #433091)
* * methods/gpgv.cc:Michael Vogt2008-12-091-1/+1
| | | | | | | | - fix compiler warning * cmdline/apt-get.cc: - fix "apt-get source pkg=ver" if binary name != source name and show a message (LP: #202219) * apt-pkg/deb/debsystem.cc: - make strings i18n able
* * Applied patch from Robert Millan <rmh@aybabtu.com> to fix the errorOtavio Salvador2008-01-171-1/+1
| | | message when gpgv isn't installed, closes: #452640.
* * Applied patch from Robert Millan <rmh@aybabtu.com> to make apt-key andOtavio Salvador2007-12-161-0/+1
| | | apt-get to ignore time conflicts, closes: #451328.
* * methods/gpgv.cc:Michael Vogt2007-12-061-17/+0
| | | - remove cruft code that caused timestamp/I-M-S issues
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-11-02 07:22:00 +0000