vincent/aptly
1
0
Fork 0
mirror of https://github.com/aptly-dev/aptly.git synced 2026-06-09 06:04:12 +00:00
Code Issues Projects Releases Wiki Activity

InRelease file: support Signed-By field

Browse Source 
https://wiki.debian.org/DebianRepository/Format#Signed-By says:
> **Signed-By**
> An optional field containing a comma separated list of
> OpenPGP key fingerprints to be used for validating
> the next Release file. The fingerprints must consist
> only of hex digits and may not contain spaces.
> The fingerprint specifies either the key the Release file
> must be signed with or the key the signature key must be
> a subkey of. The later match can be disabled by appending
> an exclamation mark to the fingerprint.
>
> If the field is present, a client should only accept future updates
> to the repository that are signed with keys listed in the field.
> The field should be ignored if the Valid-Until field is not present
> or if it is expired.

For both the CLI tools and JSON, the field is taken as a string verbatim.

When specified, we must also provide `Valid-Until` field,
and i'm not sure there is an 'infinity' value for it,
so 100 years will have to do?

Fixes https://github.com/aptly-dev/aptly/issues/1497
This commit is contained in:
Roman Lebedev
2025-12-29 23:15:40 +03:00
parent 836d9f3b8b
commit a4cc9211d6
25 changed files with 569 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
system/t06_publish/switch.py
+21 -1
View File
@@ -5,7 +5,7 @@ from lib import BaseTest
def strip_processor(output):
return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:')])
return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:') and not l.startswith('Valid-Until:')])
class PublishSwitch1Test(BaseTest):
@@ -603,3 +603,23 @@ class PublishSwitch16Test(BaseTest):
self.check_exists('public/dists/bookworm/main/binary-amd64/Packages.gz')
self.check_exists('public/pool/bookworm/main/g/gnuplot/gnuplot-x11_4.6.1-1~maverick2_amd64.deb')
class PublishSwitch17Test(BaseTest):
"""
publish switch: signed-by
"""
fixtureDB = True
fixturePool = True
fixtureCmds = [
"aptly snapshot create snap1 from mirror gnuplot-maverick",
"aptly snapshot create snap2 from mirror gnuplot-maverick",
"aptly publish snapshot -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -distribution=maverick snap1",
]
runCmd = "aptly publish switch -keyring=${files}/aptly.pub -secret-keyring=${files}/aptly.sec -signed-by=a,string maverick snap2"
gold_processor = BaseTest.expand_environ
def check(self):
super(PublishSwitch17Test, self).check()
self.check_file_contents('public/dists/maverick/Release', 'release', match_prepare=strip_processor)