[Rpm-maint] [rpm-software-management/rpm] PGP key identifiers use binding signature's creation time, not certificate creation time (Issue #2004)
Neal H. Walfield
notifications at github.com
Fri Apr 5 10:50:44 UTC 2024
> I know that. It does not need to be 100% correct (it obviously can't). The use case is to have a different release when the expire time of a key is extended.
In your model, do you think the user should authenticate the whole certificate? That seems implausible in practice. In OpenPGP, the usual way to authenticate a certificate is to authenticate the fingerprint, and then use the binding signatures to authenticate the various components.
Also, I think your proposed heuristic introduces an attack vector. AIUI, an attacker would be able to provide a user with a subset of the certificate, and rpm won't import a more complete version as long as there are no newer components or signatures, which could result in a DoS.
> And you should certainly not ask a keyserver for keys you want to import into the rpm database.
You certainly should. It is problematic to *not* check for updates on public directories. For instance, I want to promptly know about revocations.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2004#issuecomment-2039486831
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2004/2039486831 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240405/dd1820f1/attachment-0001.html>
More information about the Rpm-maint
mailing list