diff options
author | Panu Matilainen <pmatilai@redhat.com> | 2022-11-23 13:39:59 +0200 |
---|---|---|
committer | Michal Domonkos <mdomonko@redhat.com> | 2023-03-13 15:32:25 +0100 |
commit | e970cfc0d5a25d1e37a00da7fabf98dd22efac35 (patch) | |
tree | eaddc78f1ff2a1900c259aa73dd703b6786e78ce | |
parent | 9ae18b383e72f19e6a93f1e32630635a1c790bdf (diff) | |
download | rpm-e970cfc0d5a25d1e37a00da7fabf98dd22efac35.tar.gz |
Issue a warning when signing created an OpenPGP v3 signature
https://bugzilla.redhat.com/show_bug.cgi?id=2141686 revealed that much
of the rpm-ecosystem is still using the obsolete v3 OpenPGP signature
format, I think largely due to workarounds for legacy rpm versions (from
around the turn of the millennium) that have just been forgotten in
place. Lets at least issue a wake-up warning when that happens.
Unfortunately this is can't really be tested as current GnuPG versions
just ignore any --force-v3-sigs arguments.
Fixes: #2286
(cherry picked from commit ee4356ef27180c370c311ce57d9829adc74264a1)
-rw-r--r-- | sign/rpmgensig.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c index 9a525961b..553a58ec1 100644 --- a/sign/rpmgensig.c +++ b/sign/rpmgensig.c @@ -140,6 +140,7 @@ static rpmtd makeSigTag(Header sigh, int ishdr, uint8_t *pkt, size_t pktlen) rpmtd sigtd = NULL; unsigned int hash_algo; unsigned int pubkey_algo; + int ver; if (pgpPrtParams(pkt, pktlen, PGPTAG_SIGNATURE, &sigp)) { rpmlog(RPMLOG_ERR, _("Unsupported PGP signature\n")); @@ -168,6 +169,12 @@ static rpmtd makeSigTag(Header sigh, int ishdr, uint8_t *pkt, size_t pktlen) break; } + ver = pgpDigParamsVersion(sigp); + if (ver < 4) { + rpmlog(RPMLOG_WARNING, _("Deprecated OpenPGP signature version %d\n"), + ver); + } + /* Looks sane, create the tag data */ sigtd = rpmtdNew(); sigtd->count = pktlen; |