implement Signed-By option for sources.list

Limits which key(s) can be used to sign a repository. Not immensely useful
from a security perspective all by itself, but if the user has
additional measures in place to confine a repository (like pinning) an
attacker who gets the key for such a repository is limited to its
potential and can't use the key to sign its attacks for an other (maybe
less limited) repository… (yes, this is as weak as it sounds, but having
the capability might come in handy for implementing other stuff later).

9 files changed, 91 insertions, 19 deletions

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index a30a5d154..01a679fe0 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -808,7 +808,6 @@ string pkgAcqMetaBase::Custom600Headers() const
    Header += MaximumSize;
 
    string const FinalFile = GetFinalFilename();
-
    struct stat Buf;
    if (stat(FinalFile.c_str(),&Buf) == 0)
       Header += "\nLast-Modified: " + TimeRFC1123(Buf.st_mtime);
@@ -1132,6 +1131,10 @@ string pkgAcqMetaClearSig::Custom600Headers() const
 {
    string Header = pkgAcqMetaBase::Custom600Headers();
    Header += "\nFail-Ignore: true";
+   std::string const key = TransactionManager->MetaIndexParser->GetSignedBy();
+   if (key.empty() == false)
+      Header += "\nSigned-By: " + key;
+
    return Header;
 }
 									/*}}}*/
@@ -1374,6 +1377,16 @@ pkgAcqMetaSig::~pkgAcqMetaSig()						/*{{{*/
 {
 }
 									/*}}}*/
+// pkgAcqMetaSig::Custom600Headers - Insert custom request headers	/*{{{*/
+std::string pkgAcqMetaSig::Custom600Headers() const
+{
+   std::string Header = pkgAcqTransactionItem::Custom600Headers();
+   std::string const key = TransactionManager->MetaIndexParser->GetSignedBy();
+   if (key.empty() == false)
+      Header += "\nSigned-By: " + key;
+   return Header;
+}
+									/*}}}*/
 // AcqMetaSig::Done - The signature was downloaded/verified		/*{{{*/
 void pkgAcqMetaSig::Done(string const &Message, HashStringList const &Hashes,
 			 pkgAcquire::MethodConfig const * const Cfg)
diff --git a/apt-pkg/acquire-item.h b/apt-pkg/acquire-item.h
index 10ece76c9..1cd2a6d03 100644
--- a/apt-pkg/acquire-item.h
+++ b/apt-pkg/acquire-item.h
@@ -541,6 +541,7 @@ class APT_HIDDEN pkgAcqMetaSig : public pkgAcqTransactionItem
    virtual void Failed(std::string const &Message,pkgAcquire::MethodConfig const * const Cnf);
    virtual void Done(std::string const &Message, HashStringList const &Hashes,
 		     pkgAcquire::MethodConfig const * const Cnf);
+   virtual std::string Custom600Headers() const;
 
    /** \brief Create a new pkgAcqMetaSig. */
    pkgAcqMetaSig(pkgAcquire * const Owner, pkgAcqMetaClearSig * const TransactionManager,
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index a01e319eb..ef84da0d8 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -16,6 +16,8 @@
 #include <sys/wait.h>
 #include <unistd.h>
 #include <stddef.h>
+
+#include <algorithm>
 #include <iostream>
 #include <string>
 #include <vector>
@@ -42,7 +44,7 @@ static char * GenerateTemporaryFileTemplate(const char *basename)	/*{{{*/
    of the lifting in regards to merging keyrings. Fun for the whole family.
 */
 void ExecGPGV(std::string const &File, std::string const &FileGPG,
-             int const &statusfd, int fd[2])
+             int const &statusfd, int fd[2], std::string const &key)
 {
    #define EINTERNAL 111
    std::string const aptkey = _config->FindFile("Dir::Bin::apt-key", "/usr/bin/apt-key");
@@ -55,6 +57,19 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
    Args.push_back(aptkey.c_str());
    Args.push_back("--quiet");
    Args.push_back("--readonly");
+   if (key.empty() == false)
+   {
+      if (key[0] == '/')
+      {
+	 Args.push_back("--keyring");
+	 Args.push_back(key.c_str());
+      }
+      else
+      {
+	 Args.push_back("--keyid");
+	 Args.push_back(key.c_str());
+      }
+   }
    Args.push_back("verify");
 
    char statusfdstr[10];
diff --git a/apt-pkg/contrib/gpgv.h b/apt-pkg/contrib/gpgv.h
index f018893fd..2a4cdad72 100644
--- a/apt-pkg/contrib/gpgv.h
+++ b/apt-pkg/contrib/gpgv.h
@@ -38,9 +38,12 @@ class FileFd;
  *
  * @param File is the message (unsigned or clear-signed)
  * @param FileSig is the signature (detached or clear-signed)
+ * @param statusfd is the fd given to gpgv as --status-fd
+ * @param fd is used as a pipe for the standard output of gpgv
+ * @param key is the specific one to be used instead of using all
  */
 void ExecGPGV(std::string const &File, std::string const &FileSig,
-      int const &statusfd, int fd[2]) APT_NORETURN;
+      int const &statusfd, int fd[2], std::string const &Key = "") APT_NORETURN;
 inline APT_NORETURN void ExecGPGV(std::string const &File, std::string const &FileSig,
       int const &statusfd = -1) {
    int fd[2];
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 5d7e539c7..4bb03a942 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -462,6 +462,29 @@ bool debReleaseIndex::SetValidUntilMax(time_t const Valid)
       return _error->Error(_("Conflicting values set for option %s concerning source %s %s"), "Max-ValidTime", URI.c_str(), Dist.c_str());
    return true;
 }
+bool debReleaseIndex::SetSignedBy(std::string const &pSignedBy)
+{
+   if (SignedBy.empty() == true && pSignedBy.empty() == false)
+   {
+      if (pSignedBy[0] == '/') // no check for existence as we could be chrooting later or such things
+	 ; // absolute path to a keyring file
+      else
+      {
+	 // we could go all fancy and allow short/long/string matches as gpgv/apt-key does,
+	 // but fingerprints are harder to fake than the others and this option is set once,
+	 // not interactively all the time so easy to type is not really a concern.
+	 std::string finger = pSignedBy;
+	 finger.erase(std::remove(finger.begin(), finger.end(), ' '), finger.end());
+	 std::transform(finger.begin(), finger.end(), finger.begin(), ::toupper);
+	 if (finger.length() != 40 || finger.find_first_not_of("0123456789ABCDEF") != std::string::npos)
+	    return _error->Error(_("Invalid value set for option %s concerning source %s %s (%s)"), "Signed-By", URI.c_str(), Dist.c_str(), "not a fingerprint");
+      }
+      SignedBy = pSignedBy;
+   }
+   else if (SignedBy != pSignedBy)
+      return _error->Error(_("Conflicting values set for option %s concerning source %s %s"), "Signed-By", URI.c_str(), Dist.c_str());
+   return true;
+}
 									/*}}}*/
 // ReleaseIndex::IsTrusted						/*{{{*/
 bool debReleaseIndex::IsTrusted() const
@@ -706,6 +729,18 @@ class APT_HIDDEN debSLTypeDebian : public pkgSourceList::Type		/*{{{*/
 	 Deb->SetValidUntilMin(GetTimeOption(Options, "valid-until-min")) == false)
 	 return false;
 
+      std::map<std::string, std::string>::const_iterator const signedby = Options.find("signed-by");
+      if (signedby == Options.end())
+      {
+	 if (Deb->SetSignedBy("") == false)
+	    return false;
+      }
+      else
+      {
+	 if (Deb->SetSignedBy(signedby->second) == false)
+	    return false;
+      }
+
       return true;
    }
 
diff --git a/apt-pkg/deb/debmetaindex.h b/apt-pkg/deb/debmetaindex.h
index 879eb3bfc..bf5b7c1ce 100644
--- a/apt-pkg/deb/debmetaindex.h
+++ b/apt-pkg/deb/debmetaindex.h
@@ -56,6 +56,7 @@ class APT_HIDDEN debReleaseIndex : public metaIndex
    bool SetCheckValidUntil(TriState const Trusted);
    bool SetValidUntilMin(time_t const Valid);
    bool SetValidUntilMax(time_t const Valid);
+   bool SetSignedBy(std::string const &SignedBy);
 
    virtual bool IsTrusted() const;
 
diff --git a/apt-pkg/metaindex.cc b/apt-pkg/metaindex.cc
index 8bd13bb18..baf695f16 100644
--- a/apt-pkg/metaindex.cc
+++ b/apt-pkg/metaindex.cc
@@ -27,8 +27,7 @@ bool metaIndex::Merge(pkgCacheGenerator &Gen,OpProgress *) const
 metaIndex::metaIndex(std::string const &URI, std::string const &Dist,
       char const * const Type)
 : d(NULL), Indexes(NULL), Type(Type), URI(URI), Dist(Dist), Trusted(TRI_UNSET),
-   LoadedSuccessfully(TRI_UNSET),
-   Date(0), ValidUntil(0), SupportsAcquireByHash(false)
+   Date(0), ValidUntil(0), SupportsAcquireByHash(false), LoadedSuccessfully(TRI_UNSET)
 {
    /* nothing */
 }
@@ -48,6 +47,7 @@ APT_PURE std::string metaIndex::GetURI() const { return URI; }
 APT_PURE std::string metaIndex::GetDist() const { return Dist; }
 APT_PURE const char* metaIndex::GetType() const { return Type; }
 APT_PURE metaIndex::TriState metaIndex::GetTrusted() const { return Trusted; }
+APT_PURE std::string metaIndex::GetSignedBy() const { return SignedBy; }
 APT_PURE std::string metaIndex::GetCodename() const { return Codename; }
 APT_PURE std::string metaIndex::GetSuite() const { return Suite; }
 APT_PURE bool metaIndex::GetSupportsAcquireByHash() const { return SupportsAcquireByHash; }
diff --git a/apt-pkg/metaindex.h b/apt-pkg/metaindex.h
index 5be7397ae..d284655bf 100644
--- a/apt-pkg/metaindex.h
+++ b/apt-pkg/metaindex.h
@@ -52,7 +52,7 @@ protected:
    std::string URI;
    std::string Dist;
    TriState Trusted;
-   TriState LoadedSuccessfully;
+   std::string SignedBy;
 
    // parsed from a file
    std::string Suite;
@@ -61,6 +61,7 @@ protected:
    time_t ValidUntil;
    bool SupportsAcquireByHash;
    std::map<std::string, checkSum *> Entries;
+   TriState LoadedSuccessfully;
 
 public:
    // Various accessors
@@ -68,6 +69,7 @@ public:
    std::string GetDist() const;
    const char* GetType() const;
    TriState GetTrusted() const;
+   std::string GetSignedBy() const;
 
    std::string GetCodename() const;
    std::string GetSuite() const;
diff --git a/apt-pkg/sourcelist.cc b/apt-pkg/sourcelist.cc
index 0d65558ed..eef0ee709 100644
--- a/apt-pkg/sourcelist.cc
+++ b/apt-pkg/sourcelist.cc
@@ -93,27 +93,29 @@ bool pkgSourceList::Type::ParseStanza(vector<metaIndex *> &List,	/*{{{*/
    if (Enabled.empty() == false && StringToBool(Enabled) == false)
       return true;
 
-   std::map<char const * const, char const * const> mapping;
+   std::map<char const * const, std::pair<char const * const, bool> > mapping;
 #define APT_PLUSMINUS(X, Y) \
-   mapping.insert(std::make_pair(X, Y)); \
-   mapping.insert(std::make_pair(X "Add", Y "+")); \
-   mapping.insert(std::make_pair(X "Remove", Y "-"))
+   mapping.insert(std::make_pair(X, std::make_pair(Y, true))); \
+   mapping.insert(std::make_pair(X "Add", std::make_pair(Y "+", true))); \
+   mapping.insert(std::make_pair(X "Remove", std::make_pair(Y "-", true)))
    APT_PLUSMINUS("Architectures", "arch");
    APT_PLUSMINUS("Languages", "lang");
    APT_PLUSMINUS("Targets", "target");
 #undef APT_PLUSMINUS
-   mapping.insert(std::make_pair("Trusted", "trusted"));
-   mapping.insert(std::make_pair("Check-Valid-Until", "check-valid-until"));
-   mapping.insert(std::make_pair("Valid-Until-Min", "valid-until-min"));
-   mapping.insert(std::make_pair("Valid-Until-Max", "valid-until-max"));
+   mapping.insert(std::make_pair("Trusted", std::make_pair("trusted", false)));
+   mapping.insert(std::make_pair("Check-Valid-Until", std::make_pair("check-valid-until", false)));
+   mapping.insert(std::make_pair("Valid-Until-Min", std::make_pair("valid-until-min", false)));
+   mapping.insert(std::make_pair("Valid-Until-Max", std::make_pair("valid-until-max", false)));
+   mapping.insert(std::make_pair("Signed-By", std::make_pair("signed-by", false)));
 
-   for (std::map<char const * const, char const * const>::const_iterator m = mapping.begin(); m != mapping.end(); ++m)
+   for (std::map<char const * const, std::pair<char const * const, bool> >::const_iterator m = mapping.begin(); m != mapping.end(); ++m)
       if (Tags.Exists(m->first))
       {
-         // for deb822 the " " is the delimiter, but the backend expects ","
-         std::string option = Tags.FindS(m->first);
-         std::replace(option.begin(), option.end(), ' ', ',');
-         Options[m->second] = option;
+	 std::string option = Tags.FindS(m->first);
+	 // for deb822 the " " is the delimiter, but the backend expects ","
+	 if (m->second.second == true)
+	    std::replace(option.begin(), option.end(), ' ', ',');
+	 Options[m->second.first] = option;
       }
 
    // now create one item per suite/section