shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-03-19 22:50:35 +03:00
Code Issues Projects Releases Wiki Activity

gpg-verify-result: canonicalise key when looking up signatures

Browse Source 
Use gpgme_get_key to find the primary key for the key we are
looking for, and the primary key for each signature, and
compare these when looking up signatures.

The primary key is the first in the list of subkeys, which is
the normal key ID people use when referring to a GPG key as an
identity.

If the key has a signing subkey, signature->fpr will not match
the provided key_id, so looking up both keys and comparing the
primary key fingerprints ensures they are both canonicalised.

https://github.com/ostreedev/ostree/issues/608

Closes: #1036
Approved by: cgwalters
This commit is contained in:
Robert McQueen 2017-07-30 17:35:46 +01:00 committed by Atomic Bot
parent d7f953aa3a
commit 156cf23576
1 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/libostree/ostree-gpg-verify-result.c
View File

@ -237,7 +237,7 @@ ostree_gpg_verify_result_lookup (OstreeGpgVerifyResult *result,
const gchar *key_id,
guint *out_signature_index)
{
g_autofree char *key_id_upper = NULL;
gpgme_key_t lookup_key = NULL;
gpgme_signature_t signature;
guint signature_index;
gboolean ret = FALSE;
@ -245,25 +245,46 @@ ostree_gpg_verify_result_lookup (OstreeGpgVerifyResult *result,
g_return_val_if_fail (OSTREE_IS_GPG_VERIFY_RESULT (result), FALSE);
g_return_val_if_fail (key_id != NULL, FALSE);
/* signature->fpr is always upper-case. */
key_id_upper = g_ascii_strup (key_id, -1);
/* fetch requested key_id from keyring to canonicalise ID */
(void) gpgme_get_key (result->context, key_id, &lookup_key, 0);
if (lookup_key == NULL)
{
g_debug ("Could not find key ID %s to lookup signature.", key_id);
return FALSE;
}
for (signature = result->details->signatures, signature_index = 0;
signature != NULL;
signature = signature->next, signature_index++)
{
if (signature->fpr == NULL)
continue;
gpgme_key_t signature_key = NULL;
if (g_str_has_suffix (signature->fpr, key_id_upper))
(void) gpgme_get_key (result->context, signature->fpr, &signature_key, 0);
if (signature_key == NULL)
{
g_debug ("Could not find key when looking up signature from %s.", signature->fpr);
continue;
}
/* the first subkey in the list is the primary key */
if (!g_strcmp0 (lookup_key->subkeys->fpr,
signature_key->subkeys->fpr))
{
if (out_signature_index != NULL)
*out_signature_index = signature_index;
ret = TRUE;
break;
}
gpgme_key_unref (signature_key);
if (ret)
break;
}
gpgme_key_unref (lookup_key);
return ret;
}