On Fri, Jan 04, 2019 at 04:51:35PM -0500, Daniel Kahn Gillmor wrote: > debmirror's gpg_verify() function should be re-written to account for > this, probably by verifying that *at least one* signature is valid. > > While fixing this signature verification, it might also want to ensure > that it's verifying the status-fd output, rather than the return code > (see https://dev.gnupg.org/T1537#100523 and other related discussion > about why the return code is not reliable for what you typically want > to find out from gpgv).
Done. > In addition, the verification of InRelease is potentially buggy, > because the processing of the inline signature doesn't verify the > *contents* of the signature -- there could be additional data above or > below the signature -- or multiple things signed. So any verification > like that needs to probably use the gpgv --output flag, and stash (or > compare) the output to Release itself. (or sometihng like that, i > confess i don't follow all the logic in debmirror for > signature-verification yet) Yes. I transliterated some code from APT to explicitly verify the structure, on the basis that at least the approach is pretty well-tested for InRelease files even if my transliterated code isn't necessarily as well-tested ... Post-hoc review welcome if you notice anything dodgy here. https://salsa.debian.org/debian/debmirror/commit/3b5c84e534e52f51e0a6373223483f1130d45e3e Thanks, -- Colin Watson [cjwat...@debian.org]