[Rpm-maint] [rpm-software-management/rpm] Require creation time to be unique and hashed (PR #1912)

Demi Marie Obenour notifications at github.com
Thu Feb 17 18:00:38 UTC 2022


@DemiMarie commented on this pull request.



> @@ -473,16 +473,15 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype,
 	    for (i = 1; i < plen; i++)
 		pgpPrtVal(" ", pgpKeyServerPrefsTbl, p[i]);
 	    break;
-	case PGPSUBTYPE_SIG_CREATE_TIME:
+	case PGPSUBTYPE_SIG_CREATE_TIME:  /* signature creation time */
+	    if (plen-1 != sizeof(_digp->time))
+		break; /* other lengths not understood */
+	    if (_digp->saved & PGPDIG_SAVED_TIME)
+		return 1; /* duplicate timestamps not allowed */

> Oh, but that means that the pubkey parser will no longer return the creation time of the first signature, but instead that of the last signature. I.e. the release element of the created pubkey database entries will be different. This is a very visible change for no good reason. I think you should not try to repurpose the PGPDIG_SAVED_TIME flag for your uniqueness test but instead use a new flag which will be cleared after each signature.

v3 signatures do not respect PGPDIG_SAVED_TIME, but I will make them do so.

For context: if keys to be imported into RPM are always generated with GPG and exported from GPG with `--export-options export-minimal`, then the existing code does the right thing.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1912#discussion_r809315106
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1912/review/886337353 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220217/9e9c413f/attachment.html>


More information about the Rpm-maint mailing list