[Da-tools-commits] ./debian/userdir-ldap r436: Check that the primary key is not expired, even if we get a GOODSIG status from
Peter Palfrader
peter at palfrader.org
Tue Jul 8 12:33:06 UTC 2008
------------------------------------------------------------
revno: 436
committer: Peter Palfrader <peter at palfrader.org>
branch nick: userdir-ldap
timestamp: Tue 2008-07-08 14:33:06 +0200
message:
Check that the primary key is not expired, even if we get a GOODSIG status from
gnupg. Based on patch by Jeremy T. Bouse
modified:
debian/changelog
userdir_gpg.py
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog 2008-07-08 12:18:45 +0000
+++ b/debian/changelog 2008-07-08 12:33:06 +0000
@@ -9,8 +9,10 @@
* userdir_gpg.py
- do not use SIGEXPIRED, it's deprecated
- use EXPKEYSIG to tell if a signature is made by an expired key.
+ - Check that the primary key is not expired, even if we get a
+ GOODSIG status from gnupg. Based on patch by Jeremy T. Bouse.
- -- Peter Palfrader <weasel at debian.org> Tue, 08 Jul 2008 14:17:57 +0200
+ -- Peter Palfrader <weasel at debian.org> Tue, 08 Jul 2008 14:27:26 +0200
userdir-ldap (0.3.33) unstable; urgency=low
=== modified file 'userdir_gpg.py'
--- a/userdir_gpg.py 2008-07-08 07:44:46 +0000
+++ b/userdir_gpg.py 2008-07-08 12:33:06 +0000
@@ -343,7 +343,15 @@
GoodSig = 1;
KeyID = Split[2];
Owner = ' '.join(Split[3:])
-
+ # If this message is signed with a subkey which has not yet
+ # expired, GnuPG will say GOODSIG here, even if the primary
+ # key already has expired. This came up in discussion of
+ # bug #489225. GPGKeySearch only returns non-expired keys.
+ Verify = GPGKeySearch(KeyID);
+ if len(Verify) == 0:
+ GoodSig = 0
+ Why = "Key has expired (no unexpired key found in keyring matching %s)"%(KeyId);
+
# Bad signature response
if Split[1] == "BADSIG":
GoodSig = 0;
@@ -426,6 +434,8 @@
# to GPG for processing. The result is a list of tuples of the form:
# (KeyID,KeyFinger,Owner,Length)
# Which is similar to the key identification tuple output by GPGChecksig
+#
+# Do not return keys where the primary key has expired
def GPGKeySearch(SearchCriteria):
Args = [GPGPath] + GPGBasicOptions + GPGKeyRings + GPGSearchOptions + \
[SearchCriteria," 2> /dev/null"]
@@ -433,6 +443,7 @@
Result = [];
Owner = "";
KeyID = "";
+ Expired = None;
Hits = {};
dir = os.path.expanduser("~/.gnupg")
@@ -454,13 +465,15 @@
KeyID = Split[4];
Owner = Split[9];
Length = int(Split[2]);
+ Expired = Split[1] == 'e'
# Output the key
if Split[0] == 'fpr':
if Hits.has_key(Split[9]):
continue;
Hits[Split[9]] = None;
- Result.append( (KeyID,Split[9],Owner,Length) );
+ if not Expired:
+ Result.append( (KeyID,Split[9],Owner,Length) );
finally:
if Strm != None:
Strm.close();
More information about the Da-tools-commits
mailing list