From 85c435f23718e168345ea60270b24a57061b54f4 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 25 Apr 2025 20:53:45 +0200 Subject: sqv: Warn about signatures that will be rejected by policy within a year This implements a simple check where we first run `sqv` with `--policy-as-of` 1 year in the future. If the file is validly signed one year in the future, it is validly signed now. If the file is not validly signed 1 year in the future, we check if it is validly signed now, and otherwise print an error message. The --policy-as-of feature was added in sqv 1.3.0, hence we add a version requirement to the dependency. --- test/integration/test-releasefile-verification | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'test/integration') diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index 1e54cf0d5..e15752482 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -374,6 +374,16 @@ Signed-By: ${SEBASTIAN}" rootdir/var/lib/apt/lists/*Release " aptcache show apt installaptnew + if test -e "${METHODSDIR}/sqv"; then + msgmsg 'Warm archive with ahead-policy-rejected subkey signing' 'Sebastian Subkey' + cat > sequoia.config << EOF +[asymmetric_algorithms] +rsa3072 = $(date +%Y-%m-%d --date="now + 6 months") +EOF + APT_SEQUOIA_CRYPTO_POLICY=$PWD/sequoia.config updatewithwarnings "W: http://localhost:${APTHTTPPORT}/Release.gpg: Policy will reject signature within a year, see --audit for details" + exit + fi + msgmsg 'Warm archive with wrong exact subkey signing' 'Sebastian Subkey' rm -rf rootdir/var/lib/apt/lists cp -a rootdir/var/lib/apt/lists-bak rootdir/var/lib/apt/lists -- cgit v1.2.3-70-g09d2