WIP: Allow Signed-By to be set via configuration file

I had talked about this a while back on IRC and dabbled implementing it… but !32 (merged) made me unsure about using apt.conf for this – perhaps a new deb822 based file would make more sense… it would also allow more data to be present as in in which timeframe a key is supposed to sign a repository (e.g. for snapshots where sid of today and of 4 years ago is different – but then, the keys might not really be there anymore anyhow…) Not sure.

Not even sure about using Signed-By as fieldname to report back from our gpgv which keys signed the file as that is already the name of the field send to it.

Well, mostly passing around as-is to source some comments.

I would love to get this done for buster, but I guess I am slowly running out of time… at least the basic sanity-check I would like to get in through to catch/prevent reintoducing CVEs bypassing gpgv, so at least the fieldname should be decided on 😉

A simple example to play with I was using:

Acquire::Signed-By::"o=Debian*,n=stretch" "/usr/share/keyrings/debian-archive-keyring.gpg,067E3C456BAE240ACEE88F6FEF0F382A1A7B6500";
Acquire::Signed-By::"o=Debian*" "/usr/share/keyrings/debian-archive-keyring.gpg,16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC";

(Note that specifying a filename is legal, but kinda pointless as on your first run apt obviously doesn't know which line applies so the keys must be in trusted.gpg as well. Worse, if just a filename is given apt can't even check later as it doesn't know which file includes which keys)

Known Missing:

• Version matching v=9* (pkgVersionMatch interfers)
• Documentation
• signed-by failure via gpgv is a warning, this after-check is an error… should be the same. Probably both errors.