From 3f07f5345ec79702c3c769047452041b2c12953f Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Wed, 9 Jun 2021 13:22:38 +0200 Subject: Add support for embedding PGP keys into Signed-By in deb822 sources Extend the Signed-By field to handle embedded public key blocks, this allows shipping self-contained .sources files, making it substantially easier to provide third party repositories. --- apt-pkg/deb/debmetaindex.cc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'apt-pkg') diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index d78cea758..298ff5007 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -56,6 +56,23 @@ static std::string transformFingergrpintsWithFilenames(std::string const &finger /*}}}*/ static std::string NormalizeSignedBy(std::string SignedBy, bool const SupportFilenames) /*{{{*/ { + // This is an embedded public pgp key, normalize spaces inside it and empty "." lines + if (SignedBy.find("-----BEGIN PGP PUBLIC KEY BLOCK-----") != std::string::npos) { + std::istringstream is(SignedBy); + std::ostringstream os; + std::string line; + + while (std::getline(is, line)) { + line = APT::String::Strip(line); + // The special encoding for empty lines in deb822 + if (line == ".") + line=""; + os << line << std::endl; + } + std::clog << "OUTPUT " << os.str() << std::endl; + return os.str(); + } + // we could go all fancy and allow short/long/string matches as gpgv/apt-key does, // but fingerprints are harder to fake than the others and this option is set once, // not interactively all the time so easy to type is not really a concern. -- cgit v1.2.3-70-g09d2