summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam Bingner <sam@bingner.com>2019-12-26 15:19:05 -1000
committerSam Bingner <sam@bingner.com>2019-12-26 15:24:16 -1000
commit713b65be84830af1a57148b44dc1d1d4010ece3e (patch)
tree7656452774b4ce333d514cc0d1ce303a7f9ac997
parent8d1277b777045f45ffae210edea608c27587d7a2 (diff)
Revert "Treat SHA1 as Weak rather than untrusted. Add hardcoded exceptions for Modmyi/Zodttd/Bigboss to silence errors"
This reverts commit 0a4d0898091e9a6ff584f14d310a13f61fb3d9a3.
-rw-r--r--apt-pkg/acquire-item.cc10
-rw-r--r--apt-pkg/contrib/hashes.cc2
-rw-r--r--apt-pkg/deb/debmetaindex.cc5
-rw-r--r--methods/gpgv.cc9
4 files changed, 7 insertions, 19 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index fb47bc676..bb3bc1b56 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -257,7 +257,7 @@ static bool APT_NONNULL(3, 4, 5) AllowInsecureRepositories(InsecureType const ms
if (TargetIsAllowedToBe(TransactionManager->Target, msg) == true)
{
- //MessageInsecureRepository(false, msgstr, repo);
+ MessageInsecureRepository(false, msgstr, repo);
return true;
}
@@ -1608,7 +1608,7 @@ void pkgAcqMetaClearSig::QueueIndexes(bool const verify) /*{{{*/
}
// optional targets that we do not have in the Release file are skipped
- if (Target.IsOptional)
+ if (hasHashes == true && Target.IsOptional)
{
new CleanupItem(Owner, TransactionManager, Target);
continue;
@@ -1724,12 +1724,6 @@ void pkgAcqMetaClearSig::QueueIndexes(bool const verify) /*{{{*/
}
else
{
-
- if (Target.IsOptional){
- new CleanupItem(Owner, TransactionManager, Target);
- continue;
- }
-
// if we have no file to patch, no point in trying
trypdiff &= (GetExistingFilename(GetFinalFileNameFromURI(Target.URI)).empty() == false);
}
diff --git a/apt-pkg/contrib/hashes.cc b/apt-pkg/contrib/hashes.cc
index fd8b12355..98b92cc81 100644
--- a/apt-pkg/contrib/hashes.cc
+++ b/apt-pkg/contrib/hashes.cc
@@ -140,6 +140,8 @@ APT_PURE bool HashString::usable() const /*{{{*/
{
return (
(Type != "Checksum-FileSize") &&
+ (Type != "MD5Sum") &&
+ (Type != "SHA1") &&
!IsConfigured(Type.c_str(), "Untrusted")
);
}
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 2039f8308..98bac7a70 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -523,12 +523,11 @@ bool debReleaseIndex::Load(std::string const &Filename, std::string * const Erro
}
bool AuthPossible = false;
- /*if(FoundHashSum == false)
+ if(FoundHashSum == false)
_error->Warning(_("No Hash entry in Release file %s"), Filename.c_str());
else if(FoundStrongHashSum == false)
_error->Warning(_("No Hash entry in Release file %s which is considered strong enough for security purposes"), Filename.c_str());
- else*/
- if (FoundHashSum && FoundStrongHashSum)
+ else
AuthPossible = true;
std::string const StrDate = Section.FindS("Date");
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index e9f3c9d07..f66e3356f 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -68,7 +68,7 @@ struct Digest {
static constexpr Digest Digests[] = {
{Digest::State::Untrusted, "Invalid digest"},
{Digest::State::Untrusted, "MD5"},
- {Digest::State::Weak, "SHA1"},
+ {Digest::State::Untrusted, "SHA1"},
{Digest::State::Untrusted, "RIPE-MD/160"},
{Digest::State::Trusted, "Reserved digest"},
{Digest::State::Trusted, "Reserved digest"},
@@ -233,13 +233,6 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
auto const sig = tokens[0];
// Reject weak digest algorithms
Digest digest = FindDigest(tokens[7]);
- if (sig == "CFC100B9AA5CDC6430F2E9B5AA011AC1718BABDF" || //ZodTTD
- sig == "EB22AD483B83E9A7460D86F387F92E166197E890" || //ModMyi
- sig == "A9C96A37115894A23B894107694D17D38764B4F4"){ //BigBoss
- if (tokens[7] == "2"){
- digest = {Digest::State::Trusted, "SHA1"};
- }
- }
switch (digest.getState()) {
case Digest::State::Weak:
// Treat them like an expired key: For that a message about expiry