Fix inline gpg signature for InRelease file. Debootstrap for example,…

… fetches InRelease file, splits the signature and content part from it and verifies the signature by using detached signature verification. The following command is used by debootstrap to check the signature: 'gpgv --status-fd 1 --verbose --keyring <path to keyring.gpg> --ignore-time-conflict Release.gpg Release' Note: The Release.gpg signature is the extracted signature from InRelease and Release is the signed content from InRelease and not the "normal" external Release.gpg signature / Release file provided from the repository.
sonatype · Apr 6, 2023 · 1807632 · 1807632
1 parent baac7d7
commit 1807632
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/...us-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java b/...us-repository-services/src/main/java/org/sonatype/nexus/repository/security/GpgUtils.java
@@ -181,9 +181,10 @@ public static byte[] signInline(final String input, final String secretKey, fina
 
         boolean firstLine = true;
         for (String line : lines) {
-          String sigLine = (firstLine ? "" : "\r\n") + line.replaceAll("\\s*$", "");
+          String normalizedLine = line.replaceAll("\\s*$", "");
+          String sigLine = (firstLine ? "" : "\r\n") + normalizedLine;
           sigGenerator.update(sigLine.getBytes(UTF_8));
-          aOut.write((line + "\n").getBytes(UTF_8));
+          aOut.write((normalizedLine + "\n").getBytes(UTF_8));
           firstLine = false;
         }
         aOut.endClearText();