From 55452afa1e8eb3b252f76e455b49df5883e0b811 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 7 Mar 2022 13:03:24 +0100 Subject: gpgv: Use Valid instead of Good to determine fallback Change the logic to use "Valid" instead of "Good" to determine whether we need to fallback and if fallback was successful. That means that if you have an expired key in trusted.gpg.d, and a non-expired in trusted.gpg, verification will now fail directly with the expired key in trusted.gpg.d and not try to fallback. Likewise, if the key in trusted.gpg is expired, this will now also be reported correctly again, instead of producing an error message that the key could not be found. --- methods/gpgv.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'methods') diff --git a/methods/gpgv.cc b/methods/gpgv.cc index 0d5707e2a..b8d348484 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -436,7 +436,7 @@ string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outf // We do not have a key file pinned, did not find a good signature, but found // missing keys - let's retry with trusted.gpg - if (keyFiles.empty() && Signers.Good.empty() && !Signers.NoPubKey.empty()) + if (keyFiles.empty() && Signers.Valid.empty() && !Signers.NoPubKey.empty()) { std::vector legacyKeyFiles{_config->FindFile("Dir::Etc::trusted")}; if (legacyKeyFiles[0].empty()) @@ -450,7 +450,7 @@ string GPGVMethod::VerifyGetSignersWithLegacy(const char *file, const char *outf if (_error->PendingError()) return legacyMsg; // Hooray, we found a key apparently, something verified as good or bad - if (!legacySigners.Good.empty() || !legacySigners.Bad.empty()) + if (!legacySigners.Valid.empty() || !legacySigners.Bad.empty()) { std::string warning; strprintf(warning, -- cgit v1.2.3-70-g09d2