diff options
| author | Robert McQueen <rob@endlessm.com> | 2017-07-30 17:35:46 +0100 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2017-07-31 14:37:09 +0000 |
| commit | 156cf23576df15cfd06d8138f7fc4443bfee5058 (patch) | |
| tree | 08577743c4952bde963fcc2d53c69a2c6d0b2cbd /src/libostree/ostree-gpg-verify-result.c | |
| parent | d7f953aa3a9fc61d7d22fd2d05ff92583cb7b21d (diff) | |
| download | ostree-156cf23576df15cfd06d8138f7fc4443bfee5058.tar.gz | |
gpg-verify-result: canonicalise key when looking up signatures
Use gpgme_get_key to find the primary key for the key we are
looking for, and the primary key for each signature, and
compare these when looking up signatures.
The primary key is the first in the list of subkeys, which is
the normal key ID people use when referring to a GPG key as an
identity.
If the key has a signing subkey, signature->fpr will not match
the provided key_id, so looking up both keys and comparing the
primary key fingerprints ensures they are both canonicalised.
https://github.com/ostreedev/ostree/issues/608
Closes: #1036
Approved by: cgwalters
Diffstat (limited to 'src/libostree/ostree-gpg-verify-result.c')
| -rw-r--r-- | src/libostree/ostree-gpg-verify-result.c | 35 |
1 files changed, 28 insertions, 7 deletions
diff --git a/src/libostree/ostree-gpg-verify-result.c b/src/libostree/ostree-gpg-verify-result.c index 0277ce1e..059b3d56 100644 --- a/src/libostree/ostree-gpg-verify-result.c +++ b/src/libostree/ostree-gpg-verify-result.c @@ -237,7 +237,7 @@ ostree_gpg_verify_result_lookup (OstreeGpgVerifyResult *result, const gchar *key_id, guint *out_signature_index) { - g_autofree char *key_id_upper = NULL; + gpgme_key_t lookup_key = NULL; gpgme_signature_t signature; guint signature_index; gboolean ret = FALSE; @@ -245,25 +245,46 @@ ostree_gpg_verify_result_lookup (OstreeGpgVerifyResult *result, g_return_val_if_fail (OSTREE_IS_GPG_VERIFY_RESULT (result), FALSE); g_return_val_if_fail (key_id != NULL, FALSE); - /* signature->fpr is always upper-case. */ - key_id_upper = g_ascii_strup (key_id, -1); + /* fetch requested key_id from keyring to canonicalise ID */ + (void) gpgme_get_key (result->context, key_id, &lookup_key, 0); + + if (lookup_key == NULL) + { + g_debug ("Could not find key ID %s to lookup signature.", key_id); + return FALSE; + } for (signature = result->details->signatures, signature_index = 0; signature != NULL; signature = signature->next, signature_index++) { - if (signature->fpr == NULL) - continue; + gpgme_key_t signature_key = NULL; - if (g_str_has_suffix (signature->fpr, key_id_upper)) + (void) gpgme_get_key (result->context, signature->fpr, &signature_key, 0); + + if (signature_key == NULL) + { + g_debug ("Could not find key when looking up signature from %s.", signature->fpr); + continue; + } + + /* the first subkey in the list is the primary key */ + if (!g_strcmp0 (lookup_key->subkeys->fpr, + signature_key->subkeys->fpr)) { if (out_signature_index != NULL) *out_signature_index = signature_index; ret = TRUE; - break; } + + gpgme_key_unref (signature_key); + + if (ret) + break; } + gpgme_key_unref (lookup_key); + return ret; } |