From c67f5b3a1419935b5dbb0f5a53d840ddcb6c476e Mon Sep 17 00:00:00 2001 From: Marc Giger Date: Sun, 2 Apr 2023 15:36:25 +0200 Subject: [PATCH] Fix inline gpg signature for InRelease file. Debootstrap for example, fetches InRelease file, extracts the signature part from it and verifies this signature by hashing the Release file. The following command is used by debootstrap to check the signature: 'gpgv --status-fd 1 --verbose --keyring --ignore-time-conflict Release.gpg Release' Note: The Release.gpg signature is the extracted signature from InRelease and not the "normal" external Release.gpg signature provided from the repository. --- .../sonatype/nexus/repository/security/GpgUtils.java | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java b/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java index 2d74ba1e61..333edf7aa4 100644 --- a/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java +++ b/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java @@ -175,17 +175,13 @@ public static byte[] signInline(final String input, final String secretKey, fina sigGenerator.setHashedSubpackets(sigSubpacketGenerator.generate()); } - String[] lines = input.split("\r?\n"); try (ArmoredOutputStream aOut = new ArmoredOutputStream(buffer)) { aOut.beginClearText(SHA256); - boolean firstLine = true; - for (String line : lines) { - String sigLine = (firstLine ? "" : "\r\n") + line.replaceAll("\\s*$", ""); - sigGenerator.update(sigLine.getBytes(UTF_8)); - aOut.write((line + "\n").getBytes(UTF_8)); - firstLine = false; - } + sigGenerator.update(input.getBytes(UTF_8)); // the signature input must match bit for bit. No modifications are allowed here + aOut.write(input.getBytes(UTF_8)); + aOut.write(10); // newline required between signed content and signature + aOut.endClearText(); sigGenerator.generate().encode(new BCPGOutputStream(aOut));