diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-11-10 15:35:10 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-11-22 14:16:11 +0000 |
commit | 7fe5a760c4aafe71ce84241d6bcde717f6269fe6 (patch) | |
tree | 8e8fd1326eec0dde2c23674c3eabab57b09c6f17 /overlays/patches | |
parent | 9791e7fb668219d330ee6f9c509b17c2691596b6 (diff) | |
download | nixlib-7fe5a760c4aafe71ce84241d6bcde717f6269fe6.tar nixlib-7fe5a760c4aafe71ce84241d6bcde717f6269fe6.tar.gz nixlib-7fe5a760c4aafe71ce84241d6bcde717f6269fe6.tar.bz2 nixlib-7fe5a760c4aafe71ce84241d6bcde717f6269fe6.tar.lz nixlib-7fe5a760c4aafe71ce84241d6bcde717f6269fe6.tar.xz nixlib-7fe5a760c4aafe71ce84241d6bcde717f6269fe6.tar.zst nixlib-7fe5a760c4aafe71ce84241d6bcde717f6269fe6.zip |
patches/gnupg: "fix" encrypting to expired key
Since we're modifying GnuPG to allow expired keys, we need to stop it thinking a bug if do_we_trust() is reached with an expired key.
Diffstat (limited to 'overlays/patches')
-rw-r--r-- | overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch | 32 |
1 files changed, 25 insertions, 7 deletions
diff --git a/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch b/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch index 688c6cb6f074..6c4187d8620e 100644 --- a/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch +++ b/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch @@ -1,19 +1,23 @@ -From f6cd902764ea8d13523e98f10bb05ce32234f60d Mon Sep 17 00:00:00 2001 +From 76d4bdc4a906ac54013fae1bddaae10a13b059cc Mon Sep 17 00:00:00 2001 From: Alyssa Ross <hi@alyssa.is> Date: Fri, 31 Jul 2020 06:10:00 +0000 Subject: [PATCH] VERY BAD: allow signing with expired keys +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit This probably has very bad side effects. Will expiration dates still be checked when verifying signatures, for example? Who knows‽ --- - g10/getkey.c | 18 ++++++++---------- - 1 file changed, 8 insertions(+), 10 deletions(-) + g10/getkey.c | 18 ++++++++---------- + g10/pkclist.c | 3 +-- + 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/g10/getkey.c b/g10/getkey.c -index cfcf9c96a..26f41656d 100644 +index cafed3a9a..95783bee4 100644 --- a/g10/getkey.c +++ b/g10/getkey.c -@@ -1930,9 +1930,9 @@ parse_def_secret_key (ctrl_t ctrl) +@@ -1986,9 +1986,9 @@ parse_def_secret_key (ctrl_t ctrl) if (pk->has_expired) { if (DBG_LOOKUP) @@ -26,7 +30,7 @@ index cfcf9c96a..26f41656d 100644 } if (pk_is_disabled (pk)) { -@@ -3579,9 +3579,9 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, +@@ -3600,9 +3600,9 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, if (pk->has_expired) { if (DBG_LOOKUP) @@ -38,7 +42,7 @@ index cfcf9c96a..26f41656d 100644 } if (pk->timestamp > curtime && !opt.ignore_valid_from) { -@@ -3656,13 +3656,11 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, +@@ -3665,13 +3665,11 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, if (DBG_LOOKUP) log_debug ("\tprimary key has been revoked\n"); } @@ -55,6 +59,20 @@ index cfcf9c96a..26f41656d 100644 if (DBG_LOOKUP) log_debug ("\tprimary key may be used\n"); latest_key = keyblock; +diff --git a/g10/pkclist.c b/g10/pkclist.c +index 542164949..6cdd8a35c 100644 +--- a/g10/pkclist.c ++++ b/g10/pkclist.c +@@ -412,8 +412,7 @@ do_we_trust( PKT_public_key *pk, unsigned int trustlevel ) + /* We should not be able to get here with a revoked or expired + key */ + if(trustlevel & TRUST_FLAG_REVOKED +- || trustlevel & TRUST_FLAG_SUB_REVOKED +- || (trustlevel & TRUST_MASK) == TRUST_EXPIRED) ++ || trustlevel & TRUST_FLAG_SUB_REVOKED) + BUG(); + + if( opt.trust_model==TM_ALWAYS ) -- 2.27.0 |