implement Signed-By option for sources.list

Limits which key(s) can be used to sign a repository. Not immensely useful
from a security perspective all by itself, but if the user has
additional measures in place to confine a repository (like pinning) an
attacker who gets the key for such a repository is limited to its
potential and can't use the key to sign its attacks for an other (maybe
less limited) repository… (yes, this is as weak as it sounds, but having
the capability might come in handy for implementing other stuff later).

1 files changed, 15 insertions, 13 deletions

diff --git a/apt-pkg/sourcelist.cc b/apt-pkg/sourcelist.cc
index 0d65558ed..eef0ee709 100644
--- a/apt-pkg/sourcelist.cc
+++ b/apt-pkg/sourcelist.cc
@@ -93,27 +93,29 @@ bool pkgSourceList::Type::ParseStanza(vector<metaIndex *> &List,	/*{{{*/
    if (Enabled.empty() == false && StringToBool(Enabled) == false)
       return true;
 
-   std::map<char const * const, char const * const> mapping;
+   std::map<char const * const, std::pair<char const * const, bool> > mapping;
 #define APT_PLUSMINUS(X, Y) \
-   mapping.insert(std::make_pair(X, Y)); \
-   mapping.insert(std::make_pair(X "Add", Y "+")); \
-   mapping.insert(std::make_pair(X "Remove", Y "-"))
+   mapping.insert(std::make_pair(X, std::make_pair(Y, true))); \
+   mapping.insert(std::make_pair(X "Add", std::make_pair(Y "+", true))); \
+   mapping.insert(std::make_pair(X "Remove", std::make_pair(Y "-", true)))
    APT_PLUSMINUS("Architectures", "arch");
    APT_PLUSMINUS("Languages", "lang");
    APT_PLUSMINUS("Targets", "target");
 #undef APT_PLUSMINUS
-   mapping.insert(std::make_pair("Trusted", "trusted"));
-   mapping.insert(std::make_pair("Check-Valid-Until", "check-valid-until"));
-   mapping.insert(std::make_pair("Valid-Until-Min", "valid-until-min"));
-   mapping.insert(std::make_pair("Valid-Until-Max", "valid-until-max"));
+   mapping.insert(std::make_pair("Trusted", std::make_pair("trusted", false)));
+   mapping.insert(std::make_pair("Check-Valid-Until", std::make_pair("check-valid-until", false)));
+   mapping.insert(std::make_pair("Valid-Until-Min", std::make_pair("valid-until-min", false)));
+   mapping.insert(std::make_pair("Valid-Until-Max", std::make_pair("valid-until-max", false)));
+   mapping.insert(std::make_pair("Signed-By", std::make_pair("signed-by", false)));
 
-   for (std::map<char const * const, char const * const>::const_iterator m = mapping.begin(); m != mapping.end(); ++m)
+   for (std::map<char const * const, std::pair<char const * const, bool> >::const_iterator m = mapping.begin(); m != mapping.end(); ++m)
       if (Tags.Exists(m->first))
       {
-         // for deb822 the " " is the delimiter, but the backend expects ","
-         std::string option = Tags.FindS(m->first);
-         std::replace(option.begin(), option.end(), ' ', ',');
-         Options[m->second] = option;
+	 std::string option = Tags.FindS(m->first);
+	 // for deb822 the " " is the delimiter, but the backend expects ","
+	 if (m->second.second == true)
+	    std::replace(option.begin(), option.end(), ' ', ',');
+	 Options[m->second.first] = option;
       }
 
    // now create one item per suite/section