Dual-signed things should be easy to verify with one key
Bug #1801762 reported by
Dimitri John Ledkov
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apt (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
| debmirror (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
| gnupg2 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
| ubuntu-keyring (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
| ubuntu-release-upgrader (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
As part of Ubuntu key rotation strategy, we rely on dual-signing (inline, or detached) such that validation with at least one key available in a keyring should be trusted, without using web-of-trust.
However, it seems to be only correctly so far implemented by the apt's gpgv method.
Ideally, we should ship an easy enough to use the helper that is `like gpgv` to use, and possibly reusing apt's gpgv code and/or exposing it via apt-key's verify.
The problem seems to be that 1 good sig + 1 no public key available, results in gpgv exiting with 2, instead of 0 or 1.
Ideally it should be easy enough to use gpgv/gpg to verify that at least one signature is good, and decrypt/extract signed contents only.
More details and reproducers to follow.
Revision history for this message
| Julian Andres Klode (juliank) wrote | #2 |
| tags: | added: id-5be079b42925080db15a8378 |
| Changed in ubuntu-keyring (Ubuntu): | |
| status: | New → Confirmed |
To post a comment you must log in.
I've created a shell wrapper than might be useful for this called "gpgpv-multisig" which is a multi-call executable. Given /usr/bin/
ln -s gpgv-multisig /usr/bin/
and called as 'gpgv-aptkeys' it will assume the keyring to be used is /etc/apt/
Returns the same exit codes as detailed in man gpgv(1):
0 = all signatures good
1 = at least one signature good
2 = no signatures good
Many configuration variables can be over-ridden from the environment but adopt sensible defaults.