summaryrefslogtreecommitdiff
path: root/methods
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2016-09-01 18:55:20 +0200
committerDavid Kalnischkies <david@kalnischkies.de>2016-09-01 19:24:26 +0200
commit6dc85f53d92b9763a1509a6472227c54bc70b01d (patch)
treea8d9839e9d50652051dd328bf1e5a89ca9a24d0b /methods
parentf9c2f3e972313b14c4408950d86dc2dba49f8c7c (diff)
downloadapt-6dc85f53d92b9763a1509a6472227c54bc70b01d.tar.gz
support long keyid and fingerprint in gpgv's GOODSIG
In gpgv1 GOODSIG (and the other messages of status-fd) are documented as sending the long keyid. In gpgv2 it is documented to be either long keyid or the fingerprint. At the moment it is still the long keyid, but the documentation hints at the possibility of changing this. We care about this for Signed-By support as we detect this way if the right fingerprint has signed this file (or not). The check itself is done via VALIDSIG which always is a fingerprint, but there must also be a GOODSIG (as expired sigs are valid, too) found to be accepted which wouldn't be found in the fingerprint-case and the signature hence refused.
Diffstat (limited to 'methods')
-rw-r--r--methods/gpgv.cc24
1 files changed, 20 insertions, 4 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index f2ef6b76e..d073c733e 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -258,16 +258,32 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
if (std::find(ValidSigners.begin(), ValidSigners.end(), k) == ValidSigners.end())
continue;
// we look for GOODSIG here as well as an expired sig is a valid sig as well (but not a good one)
+ std::string const goodfingerprint = "GOODSIG " + k;
std::string const goodlongkeyid = "GOODSIG " + k.substr(24, 16);
- foundGood = std::find(GoodSigners.begin(), GoodSigners.end(), goodlongkeyid) != GoodSigners.end();
+ foundGood = std::find(GoodSigners.begin(), GoodSigners.end(), goodfingerprint) != GoodSigners.end();
if (Debug == true)
- std::clog << "Key " << k << " is valid sig, is " << goodlongkeyid << " also a good one? " << (foundGood ? "yes" : "no") << std::endl;
+ std::clog << "Key " << k << " is valid sig, is " << goodfingerprint << " also a good one? " << (foundGood ? "yes" : "no") << std::endl;
+ std::string goodsig;
+ if (foundGood == false)
+ {
+ foundGood = std::find(GoodSigners.begin(), GoodSigners.end(), goodlongkeyid) != GoodSigners.end();
+ if (Debug == true)
+ std::clog << "Key " << k << " is valid sig, is " << goodlongkeyid << " also a good one? " << (foundGood ? "yes" : "no") << std::endl;
+ goodsig = goodlongkeyid;
+ }
+ else
+ goodsig = goodfingerprint;
if (foundGood == false)
continue;
std::copy(GoodSigners.begin(), GoodSigners.end(), std::back_insert_iterator<std::vector<std::string> >(NoPubKeySigners));
GoodSigners.clear();
- GoodSigners.push_back(goodlongkeyid);
- NoPubKeySigners.erase(std::remove(NoPubKeySigners.begin(), NoPubKeySigners.end(), goodlongkeyid), NoPubKeySigners.end());
+ GoodSigners.push_back(goodsig);
+ NoPubKeySigners.erase(
+ std::remove(NoPubKeySigners.begin(),
+ std::remove(NoPubKeySigners.begin(), NoPubKeySigners.end(), goodfingerprint),
+ goodlongkeyid),
+ NoPubKeySigners.end()
+ );
break;
}
if (foundGood == false)