[dpkg] 22/24: dpkg-buildpackage: Validate OpenPGP signing key IDs

Thu, 03 May 2018 20:10:40 -0700 

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch master
in repository dpkg.

commit 6f903af181057a046a1344aadca552b113a2c2ee
Author: Guillem Jover <[email protected]>
Date:   Wed Aug 17 00:55:56 2016 +0200

    dpkg-buildpackage: Validate OpenPGP signing key IDs
    
    We should not accept short key IDs, and warn about long key IDs.
    Recommend to use fingerprints.
---
 debian/changelog             |  2 ++
 scripts/dpkg-buildpackage.pl | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 56b4c9e..f2a2ee0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -59,6 +59,8 @@ dpkg (1.19.1) UNRELEASED; urgency=medium
     same protocol. Thanks to Julian Andres Klode <[email protected]>.
   * Do not emit perl warnings in dpkg-source --help on source formats w/o
     options.
+  * Make dpkg-buildpackage validate OpenPGP signing key IDs length. Error out
+    for short key IDs and warn for long key IDs.
   * Architecture support:
     - Add support for riscv64 CPU. Closes: #822914
       Thanks to Manuel A. Fernandez Montecelo <[email protected]>
diff --git a/scripts/dpkg-buildpackage.pl b/scripts/dpkg-buildpackage.pl
index 49c7173..dccb8f8 100755
--- a/scripts/dpkg-buildpackage.pl
+++ b/scripts/dpkg-buildpackage.pl
@@ -477,6 +477,8 @@ if (build_has_any(BUILD_ARCH_DEP)) {
 my $pv = "${pkg}_$sversion";
 my $pva = "${pkg}_${sversion}_$arch";
 
+signkey_validate();
+
 if (not $signcommand) {
     $signsource = 0;
     $signbuildinfo = 0;
@@ -810,6 +812,21 @@ sub update_files_field {
     $ctrl->{'Files'} =~ s/^$file_regex$/$md5sum $size $1/m;
 }
 
+sub signkey_validate {
+    # Make sure this is an hex keyid.
+    return unless $signkey =~ m/^(?:0x)?([[:xdigit:]]+)$/;
+
+    my $keyid = $1;
+
+    if (length $keyid <= 8) {
+        error(g_('short OpenPGP key IDs are broken; ' .
+                 'please use key fingerprints instead'));
+    } elsif (length $keyid <= 16) {
+        warning(g_('long OpenPGP key IDs are strongly discouraged; ' .
+                   'please use key fingerprints instead'));
+    }
+}
+
 sub signfile {
     my $file = shift;
 

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/dpkg/dpkg.git

Reply via email to