From 47deb766c0a11c54d122197531279677545459af Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 15 Jul 2024 19:13:58 +0200 Subject: Only revoke weak RSA keys for now, add 'next' and 'future' levels Algorithms not in the next level give a warning, algorithms in not in the future level introduce an audit message for the --audit flag. next: >=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512 future: >=rsa3072,ed25519,ed448 LP: #2073126 --- methods/gpgv.cc | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'methods') diff --git a/methods/gpgv.cc b/methods/gpgv.cc index fc37b83dc..4a0866555 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -262,6 +262,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, { return IsTheSameKey(fpr, goodsig); }), Signers.Good.end()); } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Next")) + { + std::string reason; + Signers.SoonWorthless.push_back({fpr, pkstr}); + } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Future")) + { + std::string reason; + strprintf(reason, _("%s will be deprecated in a future release"), pkstr.c_str()); + Signers.LaterWorthless.push_back({fpr, reason}); + } } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); -- cgit v1.2.3-70-g09d2