[Rpm-maint] [rpm-software-management/rpm] Justus/openpgp fixes (PR #1813)

Justus Winter notifications at github.com
Fri Jan 21 17:07:42 UTC 2022


@teythoon commented on this pull request.



> @@ -503,6 +500,9 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype,
 	case PGPSUBTYPE_REVOKE_REASON:
 	case PGPSUBTYPE_FEATURES:
 	case PGPSUBTYPE_EMBEDDED_SIG:
+	    pgpPrtHex("", p+1, plen-1);
+	    break;
+	case PGPSUBTYPE_NOTATION:

Before a OpenPGP certificate can be used, it has to be canonicalized.  Failure to do so properly leads to catastrophic failure of the protocol.  It is at the heart of every PGP implementation.  In Sequoia, this is roughly a fifth of the core library.

Among other things, you need to check that the signatures binding the cert's components to the primary key are valid.  Then, you need a way to reason about the certificate, e.g. given a policy and a time, which (sub)key is eligible to make signatures?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1813#discussion_r789846788
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1813/review/859816764 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220121/6a1704ee/attachment.html>


More information about the Rpm-maint mailing list