diff options
| author | Julian Andres Klode <jak@debian.org> | 2022-03-07 13:03:24 +0100 |
|---|---|---|
| committer | Julian Andres Klode <jak@debian.org> | 2022-03-07 13:04:23 +0100 |
| commit | 55452afa1e8eb3b252f76e455b49df5883e0b811 (patch) | |
| tree | 329ddd15ff7571f7a3e6a3baed639bf11d3a5af2 | |
| parent | ee427f308600a4a3a6f67a4a7835e1172605ba06 (diff) | |
gpgv: Use Valid instead of Good to determine fallback
Change the logic to use "Valid" instead of "Good" to determine
whether we need to fallback and if fallback was successful. That
means that if you have an expired key in trusted.gpg.d, and a
non-expired in trusted.gpg, verification will now fail directly
with the expired key in trusted.gpg.d and not try to fallback.
Likewise, if the key in trusted.gpg is expired, this will now
also be reported correctly again, instead of producing an error
message that the key could not be found.
| -rw-r--r-- | methods/gpgv.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 0d5707e2a..b8d348484 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -436,7 +436,7 @@ string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outf // We do not have a key file pinned, did not find a good signature, but found // missing keys - let's retry with trusted.gpg - if (keyFiles.empty() && Signers.Good.empty() && !Signers.NoPubKey.empty()) + if (keyFiles.empty() && Signers.Valid.empty() && !Signers.NoPubKey.empty()) { std::vector<std::string> legacyKeyFiles{_config->FindFile("Dir::Etc::trusted")}; if (legacyKeyFiles[0].empty()) @@ -450,7 +450,7 @@ string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outf if (_error->PendingError()) return legacyMsg; // Hooray, we found a key apparently, something verified as good or bad - if (!legacySigners.Good.empty() || !legacySigners.Bad.empty()) + if (!legacySigners.Valid.empty() || !legacySigners.Bad.empty()) { std::string warning; strprintf(warning, |