From 1807632422255a743bbc27ca696d5030b4ad91e7 Mon Sep 17 00:00:00 2001 From: Marc Giger Date: Thu, 6 Apr 2023 17:02:26 +0200 Subject: [PATCH] Fix inline gpg signature for InRelease file. Debootstrap for example, fetches InRelease file, splits the signature and content part from it and verifies the signature by using detached signature verification. The following command is used by debootstrap to check the signature: 'gpgv --status-fd 1 --verbose --keyring --ignore-time-conflict Release.gpg Release' Note: The Release.gpg signature is the extracted signature from InRelease and Release is the signed content from InRelease and not the "normal" external Release.gpg signature / Release file provided from the repository. --- .../org/sonatype/nexus/repository/security/GpgUtils.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java b/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java index 2d74ba1e61..23d04eab45 100644 --- a/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java +++ b/components/nexus-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java @@ -181,9 +181,10 @@ public static byte[] signInline(final String input, final String secretKey, fina boolean firstLine = true; for (String line : lines) { - String sigLine = (firstLine ? "" : "\r\n") + line.replaceAll("\\s*$", ""); + String normalizedLine = line.replaceAll("\\s*$", ""); + String sigLine = (firstLine ? "" : "\r\n") + normalizedLine; sigGenerator.update(sigLine.getBytes(UTF_8)); - aOut.write((line + "\n").getBytes(UTF_8)); + aOut.write((normalizedLine + "\n").getBytes(UTF_8)); firstLine = false; } aOut.endClearText();