Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better handle certificates where old self signatures are stripped #47

Merged
merged 1 commit into from
Jun 21, 2023
Merged

Better handle certificates where old self signatures are stripped #47

merged 1 commit into from
Jun 21, 2023

Conversation

nwalfield
Copy link
Collaborator

  • If a certificate is not valid when a packet signature is made, but is valid now, detect this and return NotTrusted. This happens when old self signatures are stripped.

  • Fixes Relax "No binding signature" #46

@brianjmurrell brianjmurrell mentioned this pull request Jun 12, 2023
Closed
@pmatilai
Copy link
Member

Regardless of what ultimately gets done about the issue with gpg stripping old self-signatures, this much seems absolutely necessary to let people upgrade away from affected packages. Such as https://bugzilla.redhat.com/show_bug.cgi?id=2215440

So my 👍 for this.

@nwalfield
Better handle certificates where old self signatures are stripped
04db239 
  - If a certificate is not valid when a package signature is made,
    but is valid now, detect this and return `NotTrusted`.

  - This happens when old self signatures have been stripped.
    Consider a certificate `C` that expires `te`.  It is used to sign
    a package `P` at `t0`, where `t0 < te`.  At `t1`, where `t1 > t0`,
    `C`'s expiration is extended.  It now has two self signatures.
    When `C` is exported using `gpg --export`, `gpg` strips old self
    signatures, which results in the certificate `Ce`.  When rpm tries
    to verify the package's signature using `Ce`, the certificate
    cannot be canonicalized at `t0`, because the self signature that
    was valid at time `t0` was stripped.

  - See #46
@nwalfield
Copy link
Collaborator Author

I improved the commit message, but the code is the same.

@nwalfield nwalfield merged commit 04db239 into main Jun 21, 2023
@nwalfield
Copy link
Collaborator Author

Regardless of what ultimately gets done about the issue with gpg stripping old self-signatures, this much seems absolutely necessary to let people upgrade away from affected packages. Such as https://bugzilla.redhat.com/show_bug.cgi?id=2215440

So my +1 for this.

Thanks for the feedback.

@nwalfield nwalfield deleted the neal/issue-46 branch June 21, 2023 08:53
@pmatilai
Copy link
Member

@nwalfield , are you planning to do a new release with this fix in it, or should we just patch it in Fedora for the time being? It's not a problem either way, just checking.

@nwalfield
Copy link
Collaborator Author

I can do a release today.

@nwalfield
Copy link
Collaborator Author

@pmatilai : I just released 1.4.1 with the change.

@pmatilai
Copy link
Member

Awesome, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Relax "No binding signature"
2 participants
@nwalfield @pmatilai