This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=37bec03dc8ec79e8adcf05c13975faabe8f44b1c commit 37bec03dc8ec79e8adcf05c13975faabe8f44b1c Author: Guillem Jover <[email protected]> AuthorDate: Mon Oct 14 04:31:22 2024 +0200 Dpkg::OpenPGP::Backend::Sequoia: Add sqv support for verification This adds support for the verification-only command from Sequoia-PGP, which is the one currently used by apt to perform OpenPGP verification, so that we can get back for example to source package verification with dpkg-source in minimal installations. This is possible due to the new sqv 1.3.0 API changes, which makes it somewhat more compatible with «sq verify», in addition to supporting inline-verify style signatures, which is required for the artifacts that we need to handle. --- debian/control | 9 +++++-- scripts/Dpkg/OpenPGP/Backend/Sequoia.pm | 46 ++++++++++++++++++++++++++++----- scripts/Test/Dpkg.pm | 2 +- 3 files changed, 48 insertions(+), 9 deletions(-) diff --git a/debian/control b/debian/control index 4db8436f9..429a438e6 100644 --- a/debian/control +++ b/debian/control @@ -38,6 +38,7 @@ Build-Depends: # Needed for the test suite in author mode. fakeroot <pkg.dpkg.author-testing>, sq <pkg.dpkg.author-testing>, + sqv (>= 1.3.0~) <pkg.dpkg.author-testing>, sqop <pkg.dpkg.author-testing>, sqopv <pkg.dpkg.author-testing>, rsop <pkg.dpkg.author-testing>, @@ -131,7 +132,7 @@ Recommends: gcc | c-compiler, fakeroot, sq | sqop | rsop | gosop | pgpainless-cli | gpg-sq | gnupg, - sq | sqopv | rsopv | sopv | gosop | pgpainless-cli | gpgv-sq | gpgv, + sqv | sqopv | rsopv | sopv | gosop | pgpainless-cli | gpgv-sq | gpgv, # Used by dpkg-mergechangelogs. libalgorithm-merge-perl, Suggests: @@ -142,6 +143,8 @@ Breaks: debhelper (<< 10.10.1~), # Uses new sq features, w/o requiring a hard dependency on sq. sq (<< 0.40.0~), +# Uses new sqv features, w/o requiring a hard dependency on sqv. + sqv (<< 1.3.0~), # Uses required SOP features, w/o requiring a hard dependency on sqop. sqop (<< 0.27.2~), # Uses required SOP features, w/o requiring a hard dependency on rsop. @@ -183,7 +186,7 @@ Suggests: debian-keyring, debian-tag2upload-keyring, sq | sqop | rsop | gosop | pgpainless-cli | gpg-sq | gnupg, - sq | sqopv | rsopv | sopv | gosop | pgpainless-cli | gpgv-sq | gpgv, + sqv | sqopv | rsopv | sopv | gosop | pgpainless-cli | gpgv-sq | gpgv, gcc | c-compiler, binutils, patch, @@ -202,6 +205,8 @@ Breaks: dgit (<< 3.13~), # Uses new sq features, w/o requiring a hard dependency on sq. sq (<< 0.40.0~), +# Uses new sqv features, w/o requiring a hard dependency on sqv. + sqv (<< 1.3.0~), # Uses required SOP features, w/o requiring a hard dependency on sqop. sqop (<< 0.27.2~), # Uses required SOP features, w/o requiring a hard dependency on rsop. diff --git a/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm b/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm index 666bbe37c..2d50b0921 100644 --- a/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm +++ b/scripts/Dpkg/OpenPGP/Backend/Sequoia.pm @@ -1,4 +1,4 @@ -# Copyright © 2021-2024 Guillem Jover <[email protected]> +# Copyright © 2021-2025 Guillem Jover <[email protected]> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -34,6 +34,7 @@ use strict; use warnings; use POSIX qw(:sys_wait_h); +use File::Temp; use Dpkg::ErrorHandling; use Dpkg::Gettext; @@ -42,6 +43,10 @@ use Dpkg::OpenPGP::ErrorCodes; use parent qw(Dpkg::OpenPGP::Backend); +sub DEFAULT_CMDV { + return [ qw(sqv) ]; +} + sub DEFAULT_CMD { return [ qw(sq) ]; } @@ -93,7 +98,7 @@ sub armor { my ($self, $type, $in, $out) = @_; - return OPENPGP_MISSING_CMD unless $self->{cmd}; + return $self->SUPER::armor($type, $in, $out) unless $self->{cmd}; # We ignore the $type, and let "sq" handle this automatically. my $rc = $self->_sq_exec_cmd(qw(packet armor --output), $out, $in); @@ -105,7 +110,7 @@ sub dearmor { my ($self, $type, $in, $out) = @_; - return OPENPGP_MISSING_CMD unless $self->{cmd}; + return $self->SUPER::dearmor($type, $in, $out) unless $self->{cmd}; # We ignore the $type, and let "sq" handle this automatically. my $rc = $self->_sq_exec_cmd(qw(packet dearmor --output), $out, $in); @@ -119,10 +124,35 @@ sub inline_verify return OPENPGP_MISSING_CMD unless ($self->{cmdv} || $self->{cmd}); + # XXX: sqv does not support --signer-file. See: + # <https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/11>. + my $keyring_opt = $self->{cmdv} ? '--keyring' : '--signer-file'; + my @opts; push @opts, '--cleartext'; - push @opts, map { ('--signer-file', $_) } @certs; - push @opts, '--output', $data if defined $data; + push @opts, map { ($keyring_opt, $_) } @certs; + my $tmpdir; + if (not defined $data) { + # XXX: For sqv the --output option is mandatory. See: + # <https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/12>. + # XXX: For sqv the --output option does not accept «-» as stdout, + # which we would discard at spawn() time, and would then not need + # to pass /dev/null or use a temporary file. See: + # <https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/15>. + # XXX: We need a temporary file because we cannot pass /dev/null. See: + # <https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/561> and + # <https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/13>. + if ($self->{cmdv}) { + $tmpdir = File::Temp->newdir( + TEMPLATE => 'dpkg-openpgp-backend-sq-verify-XXXXXX', + TMPDIR => 1, + ); + $data = "$tmpdir/output"; + } else { + $data = '-'; + } + } + push @opts, '--output', $data; my $rc = $self->_sq_exec_cmdv(@opts, $inlinesigned); return OPENPGP_NO_SIG if $rc; @@ -135,8 +165,12 @@ sub verify return OPENPGP_MISSING_CMD unless ($self->{cmdv} || $self->{cmd}); + # XXX: sqv does not support --signer-file. See: + # <https://gitlab.com/sequoia-pgp/sequoia-sqv/-/issues/11>. + my $keyring_opt = $self->{cmdv} ? '--keyring' : '--signer-file'; + my @opts; - push @opts, map { ('--signer-file', $_) } @certs; + push @opts, map { ($keyring_opt, $_) } @certs; push @opts, '--signature-file', $sig; my $rc = $self->_sq_exec_cmdv(@opts, $data); diff --git a/scripts/Test/Dpkg.pm b/scripts/Test/Dpkg.pm index 19c1706dd..ae08a3e6a 100644 --- a/scripts/Test/Dpkg.pm +++ b/scripts/Test/Dpkg.pm @@ -211,7 +211,7 @@ my @openpgp_backends = ( { backend => 'sq', cmd => 'sq', - cmdv => 'none', + cmdv => 'sqv', }, { backend => 'sop', -- Dpkg.Org's dpkg
