From 0989275c2f7afb7a5f7698a096664a1035118ebf Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 25 Apr 2025 20:03:52 +0200 Subject: Update Sequoia crypto policy Move our cut-offs to February to align with Sequoia, and cut-off more: - 2024-02: DSA keys retroactively (align with GnuPG config) - 2026-02: SHA224 hashes - 2028-02: Brainpool keys (align closer with GnuPG backend) - 2030-02: RSA2048 keys These algorithms will not be valid starting on those cut-off dates. Gbp-Dch: full --- debian/default-sequoia.config | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/debian/default-sequoia.config b/debian/default-sequoia.config index b0abc90ee..0bb0b9c41 100644 --- a/debian/default-sequoia.config +++ b/debian/default-sequoia.config @@ -1,4 +1,18 @@ +# Default APT Sequoia configuration. To overwrite, consider copying this +# to /etc/crypto-policies/back-ends/apt-sequoia.config and modify the +# desired values. +[asymmetric_algorithms] +dsa2048 = 2024-02-01 +dsa3072 = 2024-02-01 +dsa4096 = 2024-02-01 +brainpoolp256 = 2028-02-01 +brainpoolp384 = 2028-02-01 +brainpoolp512 = 2028-02-01 +rsa2048 = 2030-02-01 + [hash_algorithms] -sha1.second_preimage_resistance = 2026-01-01 +sha1.second_preimage_resistance = 2026-02-01 # Extend the expiry for legacy repositories +sha224 = 2026-02-01 + [packets] -signature.v3 = 2026-01-01 +signature.v3 = 2026-02-01 # Extend the expiry -- cgit v1.2.3-70-g09d2 From 1747377d5b486318632026f4660ea2e7fb5f9ba2 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 25 Apr 2025 20:40:43 +0200 Subject: sqv: Refactor execution of sqv into separate method --- methods/sqv.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/methods/sqv.cc b/methods/sqv.cc index 3191752cc..3cb27354b 100644 --- a/methods/sqv.cc +++ b/methods/sqv.cc @@ -19,6 +19,7 @@ class SQVMethod : public aptMethod bool VerifyGetSigners(const char *file, const char *outfile, vector keyFiles, vector &signers); + bool ExecuteSqv(const std::vector &args, std::vector &signers); protected: bool URIAcquire(std::string const &Message, FetchItem *Itm) override; @@ -205,6 +206,13 @@ bool SQVMethod::VerifyGetSigners(const char *file, const char *outfile, args.push_back(outfile); } + return ExecuteSqv(args, signers); +} + +bool SQVMethod::ExecuteSqv(const std::vector &args, std::vector &signers) +{ + bool const Debug = DebugEnabled(); + // FIXME: Use a select() loop FileFd sqvout; FileFd sqverr; -- cgit v1.2.3-70-g09d2 From 85c435f23718e168345ea60270b24a57061b54f4 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 25 Apr 2025 20:53:45 +0200 Subject: sqv: Warn about signatures that will be rejected by policy within a year This implements a simple check where we first run `sqv` with `--policy-as-of` 1 year in the future. If the file is validly signed one year in the future, it is validly signed now. If the file is not validly signed 1 year in the future, we check if it is validly signed now, and otherwise print an error message. The --policy-as-of feature was added in sqv 1.3.0, hence we add a version requirement to the dependency. --- debian/control | 2 +- debian/rules | 2 +- methods/sqv.cc | 46 +++++++++++++++++++++++++- test/integration/test-releasefile-verification | 10 ++++++ 4 files changed, 57 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index 157ca079e..a3e4c45df 100644 --- a/debian/control +++ b/debian/control @@ -28,7 +28,7 @@ Build-Depends: dpkg-dev (>= 1.22.5) , ninja-build, pkg-config, po4a (>= 0.34-2) , - sqv [amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x hurd-amd64 hurd-i386 loong64 powerpc ppc64 sparc64] | gpgv, + sqv (>= 1.3.0) [amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x hurd-amd64 hurd-i386 loong64 powerpc ppc64 sparc64] | gpgv, triehash, xsltproc , zlib1g-dev diff --git a/debian/rules b/debian/rules index cd2370931..55d5e5eac 100755 --- a/debian/rules +++ b/debian/rules @@ -31,7 +31,7 @@ override_dh_install-arch: install -m 644 debian/apt.conf.autoremove debian/apt/etc/apt/apt.conf.d/01autoremove override_dh_gencontrol: - dh_gencontrol -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)" -Vopenpgp:Depends=$(shell test -e /usr/bin/sqv && echo sqv || echo gpgv) + dh_gencontrol -- -Vapt:keyring="$(shell ./vendor/getinfo keyring-package)" -Vopenpgp:Depends="$(shell test -e /usr/bin/sqv && echo "sqv (>= 1.3.0)" || echo gpgv)" override_dh_installcron: dh_installcron --name=apt-compat diff --git a/methods/sqv.cc b/methods/sqv.cc index 3cb27354b..6c154401d 100644 --- a/methods/sqv.cc +++ b/methods/sqv.cc @@ -206,7 +206,51 @@ bool SQVMethod::VerifyGetSigners(const char *file, const char *outfile, args.push_back(outfile); } - return ExecuteSqv(args, signers); + bool res = false; + std::vector aheadErrors; + // Check the signature with a one-year-ahead policy first + { + _error->PushToStack(); + auto time = std::time(nullptr); + auto tm = std::localtime(&time); + std::string yearAheadDate; + strprintf(yearAheadDate, "%d-%d-%d", tm->tm_year + 1900 + 1, tm->tm_mon + 1, tm->tm_mday); + + args.push_back("--policy-as-of"); + args.push_back(std::move(yearAheadDate)); + res = ExecuteSqv(args, signers); + args.pop_back(); + args.pop_back(); + + // Preserve any warnings or whatnot on success + if (res) + _error->MergeWithStack(); + else + { + while (not _error->empty()) + { + std::string msg; + _error->PopMessage(msg); + aheadErrors.push_back(msg); + } + _error->RevertToStack(); + } + } + + // The year-ahead-policy produced no valid signer, check if valid at current time. + if (not res) + { + // clear signers, args have already been cleaned post-execution + signers.clear(); + res = ExecuteSqv(args, signers); + if (res) + { + Warning(_("Policy will reject signature within a year, see --audit for details")); + for (auto &&msg : aheadErrors) + Audit(std::move(msg)); + } + } + return res; } bool SQVMethod::ExecuteSqv(const std::vector &args, std::vector &signers) diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 1e54cf0d5..e15752482 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -374,6 +374,16 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release " aptcache show apt installaptnew + if test -e "${METHODSDIR}/sqv"; then + msgmsg 'Warm archive with ahead-policy-rejected subkey signing' 'Sebastian Subkey' + cat > sequoia.config << EOF +[asymmetric_algorithms] +rsa3072 = $(date +%Y-%m-%d --date="now + 6 months") +EOF + APT_SEQUOIA_CRYPTO_POLICY=$PWD/sequoia.config updatewithwarnings "W: http://localhost:${APTHTTPPORT}/Release.gpg: Policy will reject signature within a year, see --audit for details" + exit + fi + msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey' rm -rf rootdir/var/lib/apt/lists cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists -- cgit v1.2.3-70-g09d2