* userdir_gpg.py
- do not use SIGEXPIRED, it's deprecated
- use EXPKEYSIG to tell if a signature is made by an expired key.
+ - Check that the primary key is not expired, even if we get a
+ GOODSIG status from gnupg. Based on patch by Jeremy T. Bouse.
- -- Peter Palfrader <weasel@debian.org> Tue, 08 Jul 2008 14:17:57 +0200
+ -- Peter Palfrader <weasel@debian.org> Tue, 08 Jul 2008 14:27:26 +0200
userdir-ldap (0.3.33) unstable; urgency=low
GoodSig = 1;
KeyID = Split[2];
Owner = ' '.join(Split[3:])
-
+ # If this message is signed with a subkey which has not yet
+ # expired, GnuPG will say GOODSIG here, even if the primary
+ # key already has expired. This came up in discussion of
+ # bug #489225. GPGKeySearch only returns non-expired keys.
+ Verify = GPGKeySearch(KeyID);
+ if len(Verify) == 0:
+ GoodSig = 0
+ Why = "Key has expired (no unexpired key found in keyring matching %s)"%(KeyId);
+
# Bad signature response
if Split[1] == "BADSIG":
GoodSig = 0;
# to GPG for processing. The result is a list of tuples of the form:
# (KeyID,KeyFinger,Owner,Length)
# Which is similar to the key identification tuple output by GPGChecksig
+#
+# Do not return keys where the primary key has expired
def GPGKeySearch(SearchCriteria):
Args = [GPGPath] + GPGBasicOptions + GPGKeyRings + GPGSearchOptions + \
[SearchCriteria," 2> /dev/null"]
Result = [];
Owner = "";
KeyID = "";
+ Expired = None;
Hits = {};
dir = os.path.expanduser("~/.gnupg")
KeyID = Split[4];
Owner = Split[9];
Length = int(Split[2]);
+ Expired = Split[1] == 'e'
# Output the key
if Split[0] == 'fpr':
if Hits.has_key(Split[9]):
continue;
Hits[Split[9]] = None;
- Result.append( (KeyID,Split[9],Owner,Length) );
+ if not Expired:
+ Result.append( (KeyID,Split[9],Owner,Length) );
finally:
if Strm != None:
Strm.close();