diff options
| -rw-r--r-- | apt/auth.py | 6 | ||||
| -rw-r--r-- | tests/test_auth.py | 5 |
2 files changed, 10 insertions, 1 deletions
diff --git a/apt/auth.py b/apt/auth.py index 6fe7c01a..b8089d0c 100644 --- a/apt/auth.py +++ b/apt/auth.py @@ -154,6 +154,12 @@ def _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir): if res != 0: raise AptKeyError("recv from '%s' failed for '%s'" % ( keyserver, keyid)) + # FIXME: + # - with gnupg 1.4.18 the downloaded key is actually checked(!), + # i.e. gnupg will not import anything that the server sends + # into the keyring, so the below checks are now redundant *if* + # gnupg 1.4.18 is used + # now export again using the long key id (to ensure that there is # really only this one key in our keyring) and not someone MITM us tmp_export_keyring = os.path.join(tmp_keyring_dir, "export-keyring.gpg") diff --git a/tests/test_auth.py b/tests/test_auth.py index 790ed380..67377363 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -212,7 +212,10 @@ class TestAuthKeys(unittest.TestCase): "0101010178F7FE5C3E65D8AF8B48AD6246925553", "hkp://localhost:%d" % self.keyserver_port) self.assertTrue( - str(cm.exception).startswith("Fingerprints do not match"), + str(cm.exception).startswith( + "recv from 'hkp://localhost:%d' failed for '%s'" % ( + self.keyserver_port, + "0101010178F7FE5C3E65D8AF8B48AD6246925553")), cm.exception) def testAddKeyFromServer(self): |