[Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
Demi Marie Obenour
notifications at github.com
Wed Mar 31 18:11:41 UTC 2021
> Well, it seems it would be helpful to have some advice here. In my local setup, packets analysis code detects the following,
> in that order:
>
> ```
> PGPTAG_PUBLIC_KEY ; [1] public key id saved
>
> PGPTAG_SIGNATURE
> <unknown 33>
> PGPSUBTYPE_SIG_CREATE_TIME
> PGPSUBTYPE_REVOKE_REASON ; [2] revoke reason
> PGPSUBTYPE_ISSUER_KEYID ; [3] key id match saved at [1]
>
> PGPTAG_USER_ID
>
> PGPTAG_SIGNATURE
> <unknown 33>
> PGPSUBTYPE_SIG_CREATE_TIME
> PGPSUBTYPE_KEY_FLAGS
> PGPSUBTYPE_KEY_EXPIRE_TIME
> PGPSUBTYPE_PREFER_SYMKEY
> PGPSUBTYPE_PREFER_HASH
> PGPSUBTYPE_PREFER_COMPRESS
> PGPSUBTYPE_FEATURES
> PGPSUBTYPE_KEYSERVER_PREFERS
> PGPSUBTYPE_ISSUER_KEYID ; key id match saved at [1]
>
> PGPTAG_USER_ID
>
> PGPTAG_SIGNATURE
> <unknown 33>
> PGPSUBTYPE_SIG_CREATE_TIME
> PGPSUBTYPE_KEY_FLAGS
> PGPSUBTYPE_KEY_EXPIRE_TIME
> PGPSUBTYPE_PREFER_SYMKEY
> PGPSUBTYPE_PREFER_HASH
> PGPSUBTYPE_PREFER_COMPRESS
> PGPSUBTYPE_FEATURES
> PGPSUBTYPE_KEYSERVER_PREFERS
> PGPSUBTYPE_ISSUER_KEYID ; key id match saved at [1]
>
> PGPTAG_PUBLIC_SUBKEY ; subkey saved for later analysis
>
> PGPTAG_SIGNATURE
> <unknown 33>
> PGPSUBTYPE_SIG_CREATE_TIME
> PGPSUBTYPE_KEY_FLAGS
> PGPSUBTYPE_KEY_EXPIRE_TIME
> PGPSUBTYPE_ISSUER_KEYID ; key id match saved at [1]
> PGPSUBTYPE_EMBEDDED_SIG
>
> PGPTAG_SIGNATURE
> <unknown 33>
> PGPSUBTYPE_SIG_CREATE_TIME
> PGPSUBTYPE_SIGNER_USERID
> PGPSUBTYPE_ISSUER_KEYID ; key id match saved at [1]
> ```
>
> So, if [2] is detected and key id at [3] matches key id saved at [1], can I assume that the key (and so all subkeys) is revoked?
Only if [2] is a valid signature of [1].
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-811300496
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210331/11bfcb7f/attachment.html>
More information about the Rpm-maint
mailing list