This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1eae71c1c7217e89d3316b86fac18306ddeeb958 commit 1eae71c1c7217e89d3316b86fac18306ddeeb958 Author: Guillem Jover <[email protected]> AuthorDate: Wed Aug 20 13:06:37 2025 +0200 Dpkg::OpenPGP: Do not run verify with no keyrings The verification method makes little sense without keyrings as then we'd not be able to verify the signatures. We implemented this specifically for Sequoia, and not for GnuPG as that backend does not error out if it does not get a keyring, but the SOP backend has the same problem, so let's unify the behavior for all backends (in case users load them explicitly) and their parents which is the expected interface for those methods. Closes: #1111617 Stable-Candidate: 1.22.x --- scripts/Dpkg/OpenPGP.pm | 5 +++++ scripts/Dpkg/OpenPGP/Backend.pm | 2 ++ scripts/Dpkg/OpenPGP/Backend/GnuPG.pm | 4 ++++ scripts/Dpkg/OpenPGP/Backend/SOP.pm | 4 ++++ 4 files changed, 15 insertions(+) diff --git a/scripts/Dpkg/OpenPGP.pm b/scripts/Dpkg/OpenPGP.pm index facbc8c09..2b83dfdbf 100644 --- a/scripts/Dpkg/OpenPGP.pm +++ b/scripts/Dpkg/OpenPGP.pm @@ -37,6 +37,7 @@ use Dpkg::Gettext; use Dpkg::ErrorHandling; use Dpkg::IPC; use Dpkg::Path qw(find_command); +use Dpkg::OpenPGP::ErrorCodes; my @BACKENDS = qw( sop @@ -147,12 +148,16 @@ sub dearmor { sub inline_verify { my ($self, $inlinesigned, $data, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; + return $self->{backend}->inline_verify($inlinesigned, $data, @certs); } sub verify { my ($self, $data, $sig, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; + return $self->{backend}->verify($data, $sig, @certs); } diff --git a/scripts/Dpkg/OpenPGP/Backend.pm b/scripts/Dpkg/OpenPGP/Backend.pm index 8ca633197..7afe89a78 100644 --- a/scripts/Dpkg/OpenPGP/Backend.pm +++ b/scripts/Dpkg/OpenPGP/Backend.pm @@ -218,12 +218,14 @@ sub dearmor { sub inline_verify { my ($self, $inlinesigned, $data, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; return OPENPGP_UNSUPPORTED_SUBCMD; } sub verify { my ($self, $data, $sig, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; return OPENPGP_UNSUPPORTED_SUBCMD; } diff --git a/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm b/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm index f75261968..077c1586a 100644 --- a/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm +++ b/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm @@ -165,12 +165,16 @@ sub _gpg_verify { sub inline_verify { my ($self, $inlinesigned, $data, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; + return $self->_gpg_verify($inlinesigned, undef, $data, @certs); } sub verify { my ($self, $data, $sig, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; + return $self->_gpg_verify($data, $sig, undef, @certs); } diff --git a/scripts/Dpkg/OpenPGP/Backend/SOP.pm b/scripts/Dpkg/OpenPGP/Backend/SOP.pm index 94f41544d..ab2150c38 100644 --- a/scripts/Dpkg/OpenPGP/Backend/SOP.pm +++ b/scripts/Dpkg/OpenPGP/Backend/SOP.pm @@ -98,6 +98,8 @@ sub inline_verify { my ($self, $inlinesigned, $data, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; + return $self->_sop_exec({ verify => 1, in => $inlinesigned, out => $data }, 'inline-verify', @certs); } @@ -106,6 +108,8 @@ sub verify { my ($self, $data, $sig, @certs) = @_; + return OPENPGP_MISSING_KEYRINGS if @certs == 0; + return $self->_sop_exec({ verify => 1, in => $data }, 'verify', $sig, @certs); } -- Dpkg.Org's dpkg
