David was kind enough to provide a patch for this bug.
Apt will now ensure that the InRelease file starts with a "-----BEGIN PGP SIGNED MESSAGE-----" header.
Apt already discards everything after the second ^---- line in a InRelease file. So this ensures that only the part between
header line and tail is used. The way I read rfc2440 is that we can be sure that gpgv checks this message. This still allows adding
junk after the tail pgp lines, but that does not matter as apt discards it. Ideally we would use gpg --output, but unfortunately gpgv does not provide this option.
Alternatively we could simply disable InRelease entirely in natty (its not used currently by ubuntu).
David was kind enough to provide a patch for this bug.
Apt will now ensure that the InRelease file starts with a "-----BEGIN PGP SIGNED MESSAGE-----" header.
Apt already discards everything after the second ^---- line in a InRelease file. So this ensures that only the part between
header line and tail is used. The way I read rfc2440 is that we can be sure that gpgv checks this message. This still allows adding
junk after the tail pgp lines, but that does not matter as apt discards it. Ideally we would use gpg --output, but unfortunately gpgv does not provide this option.
Alternatively we could simply disable InRelease entirely in natty (its not used currently by ubuntu).