[Rpm-maint] [rpm-software-management/rpm] Handle revocation (PR #2027)
Demi Marie Obenour
notifications at github.com
Sat Apr 16 16:30:09 UTC 2022
> > > * Added my tests in place of @DemiMarie's, which used certificates that will expire in two years.
> >
> >
> > FYI, some of my tests cover very specific corner cases, such as packets in non-standard orders. Earlier versions of my patch, as well as current RPM, mishandled subkey revocation signatures after subkey binding signatures. Therefore might be better to just change the expiration dates. Secret keys should also be included, so anyone could do that.
>
> If the packets are in non-standard order, then changing the expiration time will cause the certificate to be canonicalized on export. When I look at the packets, they seem to be in standard order:
>
> ```
> $ sq packet dump first-signing-key-revoked.asc | grep -E 'Packet,|Type:'
> Public-Key Packet, old CTB, 51 bytes
> User ID Packet, old CTB, 39 bytes
> Signature Packet, old CTB, 154 bytes
> Type: PositiveCertification
> Public-Subkey Packet, old CTB, 51 bytes
> Signature Packet, old CTB, 171 bytes
> Type: SubkeyRevocation
> Signature Packet, old CTB, 239 bytes
> Type: SubkeyBinding
> Type: PrimaryKeyBinding
> Public-Subkey Packet, old CTB, 51 bytes
> Signature Packet, old CTB, 239 bytes
> Type: SubkeyBinding
> Type: PrimaryKeyBinding
> $ sq packet dump rpm.org-ed25519-subkey-test.pub | grep -E 'Packet,|Type:'
> Public-Key Packet, old CTB, 51 bytes
> User ID Packet, old CTB, 121 bytes
> Signature Packet, old CTB, 148 bytes
> Type: PositiveCertification
> Public-Subkey Packet, old CTB, 56 bytes
> Signature Packet, old CTB, 182 bytes
> Type: SubkeyRevocation
> Signature Packet, old CTB, 120 bytes
> Type: SubkeyBinding
> Public-Subkey Packet, old CTB, 51 bytes
> Signature Packet, old CTB, 239 bytes
> Type: SubkeyBinding
> Type: PrimaryKeyBinding
> Public-Subkey Packet, old CTB, 51 bytes
> Signature Packet, old CTB, 148 bytes
> Type: SubkeyRevocation
> Signature Packet, old CTB, 239 bytes
> Type: SubkeyBinding
> Type: PrimaryKeyBinding
> Public-Subkey Packet, old CTB, 397 bytes
> Signature Packet, old CTB, 120 bytes
> Type: SubkeyBinding
> $ sq packet dump rpm.org-ed25519-subkey-2-test.pub | grep -E 'Packet,|Type:'
> Public-Key Packet, old CTB, 51 bytes
> User ID Packet, old CTB, 121 bytes
> Signature Packet, old CTB, 154 bytes
> Type: PositiveCertification
> Public-Subkey Packet, old CTB, 56 bytes
> Signature Packet, old CTB, 182 bytes
> Type: SubkeyRevocation
> Signature Packet, old CTB, 120 bytes
> Type: SubkeyBinding
> Public-Subkey Packet, old CTB, 51 bytes
> Signature Packet, old CTB, 239 bytes
> Type: SubkeyBinding
> Type: PrimaryKeyBinding
> Public-Subkey Packet, old CTB, 51 bytes
> Signature Packet, old CTB, 148 bytes
> Type: SubkeyRevocation
> Signature Packet, old CTB, 239 bytes
> Type: SubkeyBinding
> Type: PrimaryKeyBinding
> Public-Subkey Packet, old CTB, 397 bytes
> Signature Packet, old CTB, 120 bytes
> Type: SubkeyBinding
> ```
>
> What were you trying to test exactly?
If I recall correctly, I was trying to test a revocation signature after a binding signature, and various orders of revoked and unrevoked signing-capable subkeys. I was also trying to tests subkeys that cannot sign. Subkeys without binding signatures also need to be tested.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2027#issuecomment-1100701493
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/2027/c1100701493 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220416/a75b22a6/attachment.html>
More information about the Rpm-maint
mailing list