[Rpm-maint] [rpm-software-management/rpm] Require creation time to be unique and hashed (PR #1912)

Demi Marie Obenour notifications at github.com
Mon Feb 21 16:36:26 UTC 2022


@DemiMarie commented on this pull request.



>  	    impl = *p;
-	    if (!(_digp->saved & PGPDIG_SAVED_TIME) &&
-		(sigtype == PGPSIGTYPE_POSITIVE_CERT || sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT || sigtype == PGPSIGTYPE_STANDALONE))

@teythoon _All_ of your criticisms are valid.  Fixing RPM’s implementation is a _massive_ amount of work, though.  So I am trying to do the best I can in my spare time.

Right now, for example, I am not even sure where RPM should _store_ revocation information.  In the rpmdb?  In the filesystem somewhere?

> > > * the subkey is marked as signing-capable?
> > 
> > RPM does not know either of these. I actually consider this to be a security vulnerability, but I do not know if upstream does. In any case there is no point in an embargo since this is already public.
> 
> It is a security vulnerability, but upstream disagrees.

Have you made a report to <secalert at redhat.com>?

> I have written the most comprehensive OpenPGP test suite ever created that found countless bugs across multiple implementations.

Is this test suite open source?  I would like to use it to test rpm-oxide’s signature parsing code.

> `gpgv` canonicalizes certificates. Not doing so is unsafe. Saying RPM implements a subset of that is like saying `/bin/true` implements a subset of `gpgv`.

Is there a specification for certificate canonicalization anywhere?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1912#discussion_r811291201
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1912/review/888911294 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220221/1bce546f/attachment.html>


More information about the Rpm-maint mailing list