Re: [Rpm-maint] [rpm-software-management/rpm] Validate and require subkey binding signatures on PGP public keys (#1795)

Demi Marie Obenour Wed, 13 Oct 2021 10:53:50 -0700

@DemiMarie requested changes on this pull request.

This needs #1705 or equivalent to ensure that non-`PGPSIGTYPE_BINARY` 
signatures are not accepted as package signatures.


> +     if (sigalg->setmpi(sigalg, i, p))
+           break;

This requires a corresponding change in the package signature checking code to 
ensure that package signatures are `PGPSIGTYPE_BINARY`.  #1705 is one 
implementation, and I can replace it with a better one that uses proper 
accessor functions.

> +         0x99,
+           (pkt->blen >> 8),
+           (pkt->blen     ),

This is inconsistent (at best) for keys larger than 0xFFFF bytes.  Not sure if 
such keys should just be rejected.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1795#pullrequestreview-778605073

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] Validate and require subkey binding signatures on PGP public keys (#1795)

Reply via email to