[linux-signed] 02/04: debian/bin/sign.py: Use Release, Release.gpg instead of InRelease
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Sep 20 21:58:35 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux-signed.
commit 8429e9be572f065de49706c95c6637a6ab08d208
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Sep 20 22:24:32 2016 +0100
debian/bin/sign.py: Use Release, Release.gpg instead of InRelease
Inline-signed files can include unsigned text, and it's possible that
deb822.Release might end up parsing the unsigned text as well as the
signed text. We might be able to use 'gpg --output' to get only the
signed text, but gpgv doesn't support that option!
deb822.Release doesn't support detached signatures any more than
inline signatures, so continue calling gpgv directly.
---
debian/bin/sign.py | 22 +++++++++++++++++-----
debian/changelog | 2 ++
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/debian/bin/sign.py b/debian/bin/sign.py
index 9d885b8..c2e0317 100755
--- a/debian/bin/sign.py
+++ b/debian/bin/sign.py
@@ -14,20 +14,32 @@ _release_data = {}
def get_release_data(mirror, suite):
if not _release_data:
- url = urllib.parse.urljoin(mirror, 'dists/%s/InRelease' % suite)
+ # I would prefer to use InRelease here to avoid a possible
+ # mismatch but inline-signed files can include unsigned text
+ # that we might mistakenly trust.
+ url = urllib.parse.urljoin(mirror, 'dists/%s/Release' % suite)
print('I: Fetching %s' % url)
with urllib.request.urlopen(url) as req:
release_raw = req.read()
+ url += '.gpg'
+ print('I: Fetching %s' % url)
+ with urllib.request.urlopen(url) as req:
+ release_sig_raw = req.read()
- # Validate against keyring. deb822.Release seems to expect
- # detached signatures so call gpgv directly.
- with tempfile.NamedTemporaryFile() as release_file:
+ # Validate against keyring. deb822.Release doesn't support
+ # signatures (inline or detached) for some reason so call gpgv
+ # directly.
+ with tempfile.NamedTemporaryFile() as release_file, \
+ tempfile.NamedTemporaryFile() as release_sig_file:
release_file.write(release_raw)
release_file.flush()
+ release_sig_file.write(release_sig_raw)
+ release_sig_file.flush()
output = subprocess.check_output(
['gpgv', '--status-fd', '1',
'--keyring', '/usr/share/keyrings/debian-archive-keyring.gpg',
- '--ignore-time-conflict', release_file.name])
+ '--ignore-time-conflict', release_sig_file.name,
+ release_file.name])
if not re.search(r'^\[GNUPG:\]\s+VALIDSIG\s', codecs.decode(output),
re.MULTILINE):
os.write(2, output) # bytes not str!
diff --git a/debian/changelog b/debian/changelog
index c8629f4..d737b60 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ linux-signed (2.4) UNRELEASED; urgency=medium
* Validate version suffiix to ensure it sorts lowe than stable security
updates
* debian/bin/sign.py: Flush temporary release file before running gpgv
+ * debian/bin/sign.py: Use Release, Release.gpg instead of InRelease to
+ avoid the possibility of using unsigned data
-- Ben Hutchings <ben at decadent.org.uk> Thu, 15 Sep 2016 16:54:17 +0100
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git
More information about the Kernel-svn-changes
mailing list