This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 214b0077264e35c079e854a8b6374704aea45cd5 (commit)
from 996febbab21eb9283b0634e51303a36b318734a6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 214b0077264e35c079e854a8b6374704aea45cd5
Author: Werner Koch <wk at gnupg.org>
Date: Wed Jul 4 08:59:12 2018 +0200
gpg: Extra check for sign usage when verifying a data signature.
* g10/sig-check.c (check_signature_end_simple): Check sign usage.
--
Without this patch the signature verification fails only due to the
missing back signature. This check better explains what went wrong.
GnuPG-bug-id: 4014
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/g10/sig-check.c b/g10/sig-check.c
index fc69839..a68e031 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -478,8 +478,17 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
sig->sig_class, pk->pubkey_usage);
return rc;
}
- /* Fixme: Should we also check the signing capability here for data
- * signature? */
+
+ /* For data signatures check that the key has sign usage. */
+ if (IS_SIG (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_SIG))
+ {
+ rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+ if (!opt.quiet)
+ log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"),
+ keystr_from_pk (pk), gpg_strerror (rc),
+ sig->sig_class, pk->pubkey_usage);
+ return rc;
+ }
/* Make sure the digest algo is enabled (in case of a detached
* signature). */
-----------------------------------------------------------------------
Summary of changes:
g10/sig-check.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org