Re: Bug? Vulnerability? gpgme_op_verify_result() can be made to return a list of zero signatures

2020-06-15 Thread Justin Steven
Hi Werner, Thanks for responding > this is a requirement for OpenPGP because OpenPGP allows to embed a signature > in encrypted data (combined method in contrast to the rarely used MIME > containers). Thus when calling the decrypt function you can't know in > advance whether there will be a

Bug? Vulnerability? gpgme_op_verify_result() can be made to return a list of zero signatures

2020-06-14 Thread Justin Steven
Hi all, On 9 June 2020 I disclosed a vulnerability in fwupd. There was a problem with the way that it used libgpgme to verify the PGP signature of its update metadata. I would like to put it forward for wider discussion: is libgpgme is working as intended, or should this particular behaviour be