signature checking changes

Adjust the gpgv signature check. Add one more case of broken key to detect, EXPKEYSIG. From gnupg docs: EXPKEYSIG <long keyid> <username> The signature with the keyid is good, but the signature was made by an expired key. The username is the primary one encoded in UTF-8 and %XX escaped. Also, handle KEYEXPIRED right. The first argument given back is NOT the keyid, it is the timestamp when the key expired. From gnupg docs: KEYEXPIRED <expire-timestamp> The key has expired. expire-timestamp is the expiration time in seconds after the epoch. Note, that TIMESTAMP may either be a number with seconds since epoch or an ISO 8601 string which can be detected by the presence of the letter 'T' inside. So lets go and see if we find a T, if not convert the epoch to something more easily human readable in our reject message. Signed-off-by: N Joerg Jaspert <joerg@debian.org>

signature checking changes
Adjust the gpgv signature check. Add one more case of broken key to detect, EXPKEYSIG. From gnupg docs: EXPKEYSIG <long keyid> <username> The signature with the keyid is good, but the signature was made by an expired key. The username is the primary one encoded in UTF-8 and %XX escaped. Also, handle KEYEXPIRED right. The first argument given back is NOT the keyid, it is the timestamp when the key expired. From gnupg docs: KEYEXPIRED <expire-timestamp> The key has expired. expire-timestamp is the expiration time in seconds after the epoch. Note, that TIMESTAMP may either be a number with seconds since epoch or an ISO 8601 string which can be detected by the presence of the letter 'T' inside. So lets go and see if we find a T, if not convert the epoch to something more easily human readable in our reject message. Signed-off-by: N Joerg Jaspert <joerg@debian.org>
b74dcc5d · Joerg Jaspert · f681a81d · b74dcc5d
隐藏空白更改
内联并排

Showing with 14 addition and 2 deletion

daklib/utils.py daklib/utils.py +14 -2

未找到文件。
--- a/daklib/utils.py
+++ b/daklib/utils.py
@@ -26,6 +26,7 @@ import codecs, commands, email.Header, os, pwd, re, select, socket, shutil, \
       sys, tempfile, traceback, stat
 import apt_pkg
 import database
+import time
 from dak_exceptions import *

 ################################################################################
@@ -1231,11 +1232,22 @@ used."""
    if keywords.has_key("NODATA"):
        reject("no signature found in %s." % (sig_filename))
        bad = 1
+    if keywords.has_key("EXPKEYSIG"):
+        args = keywords["EXPKEYSIG"]
+        if len(args) >= 1:
+            key = args[0]
+        reject("Signature made by expired key x%s" % (key))
+        bad = 1
    if keywords.has_key("KEYEXPIRED") and not keywords.has_key("GOODSIG"):
        args = keywords["KEYEXPIRED"]
+        expiredate=""
        if len(args) >= 1:
-            key = args[0]
-        reject("The key (0x%s) used to sign %s has expired." % (key, sig_filename))
+            timestamp = args[0]
+            if timestamp.count("T") == 0:
+                expiredate = time.strftime("%Y-%m-%d", time.gmtime(timestamp))
+            else:
+                expiredate = timestamp
+        reject("The key used to sign %s has expired on %s" % (sig_filename, expiredate))
        bad = 1

    if bad: