Skip to content

Commit

Permalink
Fix inline gpg signature for InRelease file. Debootstrap for example,…
Browse files Browse the repository at this point in the history
… fetches InRelease file, extracts the signature part from it and verifies this signature by hashing the Release file. The following command is used by debootstrap to check the signature:

'gpgv --status-fd 1 --verbose --keyring <path to keyring.gpg> --ignore-time-conflict Release.gpg Release'
Note: The Release.gpg signature is the extracted signature from InRelease and not the "normal" external Release.gpg signature provided from the repository.
  • Loading branch information
kayuma committed Apr 2, 2023
1 parent baac7d7 commit c67f5b3
Showing 1 changed file with 4 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -175,17 +175,13 @@ public static byte[] signInline(final String input, final String secretKey, fina
sigGenerator.setHashedSubpackets(sigSubpacketGenerator.generate());
}

String[] lines = input.split("\r?\n");
try (ArmoredOutputStream aOut = new ArmoredOutputStream(buffer)) {
aOut.beginClearText(SHA256);

boolean firstLine = true;
for (String line : lines) {
String sigLine = (firstLine ? "" : "\r\n") + line.replaceAll("\\s*$", "");
sigGenerator.update(sigLine.getBytes(UTF_8));
aOut.write((line + "\n").getBytes(UTF_8));
firstLine = false;
}
sigGenerator.update(input.getBytes(UTF_8)); // the signature input must match bit for bit. No modifications are allowed here
aOut.write(input.getBytes(UTF_8));
aOut.write(10); // newline required between signed content and signature

aOut.endClearText();

sigGenerator.generate().encode(new BCPGOutputStream(aOut));
Expand Down

0 comments on commit c67f5b3

Please sign in to comment.