[Da-tools-commits] ./debian/userdir-ldap r436: Check that the primary key is not expired, even if we get a GOODSIG status from

[Peter Palfrader]

------------------------------------------------------------
revno: 436
committer: Peter Palfrader <peter at palfrader.org>
branch nick: userdir-ldap
timestamp: Tue 2008-07-08 14:33:06 +0200
message:
  Check that the primary key is not expired, even if we get a GOODSIG status from
  gnupg.  Based on patch by Jeremy T. Bouse
modified:
  debian/changelog
  userdir_gpg.py
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog	2008-07-08 12:18:45 +0000
+++ b/debian/changelog	2008-07-08 12:33:06 +0000
@@ -9,8 +9,10 @@
   * userdir_gpg.py
     - do not use SIGEXPIRED, it's deprecated
     - use EXPKEYSIG to tell if a signature is made by an expired key.
+    - Check that the primary key is not expired, even if we get a
+      GOODSIG status from gnupg.  Based on patch by Jeremy T. Bouse.
 
- -- Peter Palfrader <weasel at debian.org>  Tue, 08 Jul 2008 14:17:57 +0200
+ -- Peter Palfrader <weasel at debian.org>  Tue, 08 Jul 2008 14:27:26 +0200
 
 userdir-ldap (0.3.33) unstable; urgency=low
 

=== modified file 'userdir_gpg.py'
--- a/userdir_gpg.py	2008-07-08 07:44:46 +0000
+++ b/userdir_gpg.py	2008-07-08 12:33:06 +0000
@@ -343,7 +343,15 @@
 	       GoodSig = 1;
 	    KeyID = Split[2];
 	    Owner = ' '.join(Split[3:])
-	    
+	    # If this message is signed with a subkey which has not yet
+	    # expired, GnuPG will say GOODSIG here, even if the primary
+	    # key already has expired.  This came up in discussion of
+	    # bug #489225.  GPGKeySearch only returns non-expired keys.
+	    Verify = GPGKeySearch(KeyID);
+	    if len(Verify) == 0:
+	       GoodSig = 0
+	       Why = "Key has expired (no unexpired key found in keyring matching %s)"%(KeyId);
+
 	 # Bad signature response
 	 if Split[1] == "BADSIG":
 	    GoodSig = 0;
@@ -426,6 +434,8 @@
 # to GPG for processing. The result is a list of tuples of the form:
 #   (KeyID,KeyFinger,Owner,Length)
 # Which is similar to the key identification tuple output by GPGChecksig
+#
+# Do not return keys where the primary key has expired
 def GPGKeySearch(SearchCriteria):
    Args = [GPGPath] + GPGBasicOptions + GPGKeyRings + GPGSearchOptions + \
           [SearchCriteria," 2> /dev/null"]
@@ -433,6 +443,7 @@
    Result = [];
    Owner = "";
    KeyID = "";
+   Expired = None;
    Hits = {};
 
    dir = os.path.expanduser("~/.gnupg")
@@ -454,13 +465,15 @@
             KeyID = Split[4];
             Owner = Split[9];
             Length = int(Split[2]);
+            Expired = Split[1] == 'e'
 
          # Output the key
          if Split[0] == 'fpr':
             if Hits.has_key(Split[9]):
                continue;
             Hits[Split[9]] = None;
-            Result.append( (KeyID,Split[9],Owner,Length) );
+            if not Expired:
+               Result.append( (KeyID,Split[9],Owner,Length) );
    finally:
       if Strm != None:
          Strm.close();