[Rpm-maint] [rpm-software-management/rpm] Distinguish between trusted and untrusted signatures and keys. (PR #1993)
nwalfield
notifications at github.com
Fri Apr 15 17:54:12 UTC 2022
@nwalfield commented on this pull request.
> @@ -1179,7 +1179,11 @@ rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx)
pgpDigAlg ka = key->alg;
if (sa && sa->verify) {
if (sa->verify(ka, sa, hash, hashlen, sig->hash_algo) == 0) {
- res = RPMRC_OK;
+ if ((key->saved & PGPDIG_UNTRUSTED) ||
+ (sig->saved & PGPDIG_UNTRUSTED))
+ res = RPMRC_NOTTRUSTED;
+ else
+ res = RPMRC_OK;
I think the better approach is to just ignore the subkey if it appears to be revoked, i.e., drop this change.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1993#discussion_r851408900
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1993/review/943603207 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220415/07f50ca7/attachment.html>
More information about the Rpm-maint
mailing list