X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=userdir_gpg.py;fp=userdir_gpg.py;h=c883d140939ce7ecbb9c349790b3512df0afd146;hp=273ac47a081a1290cf0527abf2b26dbe85637981;hb=ad01f23258ec16be62e092ab4deb4a31fc3163d5;hpb=c127301d2b22d7415b11306aa3ecc72722549378 diff --git a/userdir_gpg.py b/userdir_gpg.py index 273ac47..c883d14 100644 --- a/userdir_gpg.py +++ b/userdir_gpg.py @@ -343,7 +343,15 @@ def GPGCheckSig(Message): GoodSig = 1; KeyID = Split[2]; Owner = ' '.join(Split[3:]) - + # If this message is signed with a subkey which has not yet + # expired, GnuPG will say GOODSIG here, even if the primary + # key already has expired. This came up in discussion of + # bug #489225. GPGKeySearch only returns non-expired keys. + Verify = GPGKeySearch(KeyID); + if len(Verify) == 0: + GoodSig = 0 + Why = "Key has expired (no unexpired key found in keyring matching %s)"%(KeyId); + # Bad signature response if Split[1] == "BADSIG": GoodSig = 0; @@ -426,6 +434,8 @@ def GPGCheckSig(Message): # to GPG for processing. The result is a list of tuples of the form: # (KeyID,KeyFinger,Owner,Length) # Which is similar to the key identification tuple output by GPGChecksig +# +# Do not return keys where the primary key has expired def GPGKeySearch(SearchCriteria): Args = [GPGPath] + GPGBasicOptions + GPGKeyRings + GPGSearchOptions + \ [SearchCriteria," 2> /dev/null"] @@ -433,6 +443,7 @@ def GPGKeySearch(SearchCriteria): Result = []; Owner = ""; KeyID = ""; + Expired = None; Hits = {}; dir = os.path.expanduser("~/.gnupg") @@ -454,13 +465,15 @@ def GPGKeySearch(SearchCriteria): KeyID = Split[4]; Owner = Split[9]; Length = int(Split[2]); + Expired = Split[1] == 'e' # Output the key if Split[0] == 'fpr': if Hits.has_key(Split[9]): continue; Hits[Split[9]] = None; - Result.append( (KeyID,Split[9],Owner,Length) ); + if not Expired: + Result.append( (KeyID,Split[9],Owner,Length) ); finally: if Strm != None: Strm.close();