Package: reprepro
Version: 3.9.2-1
Severity: normal
Tags: patch
I was trying to set up an 'update', and provided a 'VerifyRelease:' with
16-digit keyid as specified in the manpage. It appeared to be ignored.
After a bit of debugging, I found an off-by-one error in signature.c
line 129:
if( kl < fl && strncasecmp(fingerprint+fl-kl,keypart,kl) == 0 )
This should say ' kl <= fl ' - the way it is at the moment enforces that
the VerifyRelease value from the configuration must be *strictly* a
suffix of the 16-digit fingerprint - not an exact match.
A trivial workaround/proof-of-bug is to specify only the last 15 digits
of the keyid on the VerifyRelease line.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
