Re: [Rpm-maint] [rpm-software-management/rpm] Validate and require subkey binding signatures on PGP public keys (#1795)

Demi Marie Obenour Thu, 14 Oct 2021 11:21:36 -0700

@DemiMarie commented on this pull request.



> +     if (sigalg->setmpi(sigalg, i, p))
+           break;

What if I made a good quality PR that fixed the problem, either directly or on 
to your branch?  #1705 got NAK’d on the grounds that it added “another struct 
pgpDigParams direct access when we're trying to eliminate those.”  I can 
instead add a proper accessor function (is pgpDigParamsSigType okay?) and use 
it.

> Silly, because if you get an admin to import a key file you have access to, 
> you don't need to pull off stunts like fiddle with subkey binding signatures.

The main worry is if someone does something like:

```
$ gpg --export 'some trusted fingerprint'
```

and their `/usr/bin/gpg` doesn’t bother to check subkey binding signatures when 
exporting.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1795#discussion_r729033785

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] Validate and require subkey binding signatures on PGP public keys (#1795)

Reply via email to