[Rpm-maint] [rpm-software-management/rpm] Distinguish between trusted and untrusted signatures and keys. (PR #1993)
Demi Marie Obenour
notifications at github.com
Thu Apr 14 14:57:11 UTC 2022
> > I suggest adding some debug logging in the subpacket parsing code to see which subpacket gets rejected.
>
> [It's failing here](https://github.com/rpm-software-management/rpm/blob/7e10e0d3572b79a210b14c6b00da8e68af7d8c0f/rpmio/rpmpgp_internal.c#L329):
>
> ```
> /* Reject duplicate key usage flags */
> if (_digp->saved & PGPDIG_SIG_HAS_KEY_FLAGS)
> return 1;
> ```
>
> HTH
If the signature actually has more than one key usage subpacket in the hashed section, this is expected behavior, but I would also consider that to be a very strange signature. Otherwise, something has gone wrong somewhere. Can you check if the flag gets reset properly between signatures?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1993#issuecomment-1099273048
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1993/c1099273048 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220414/80707aeb/attachment.html>
More information about the Rpm-maint
mailing list