[git] GnuPG - branch, STABLE-BRANCH-2-2, updated. gnupg-2.2.8-18-gef50fdf

by Werner Koch cvs at cvs.gnupg.org
Wed Jul 4 09:11:02 CEST 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, STABLE-BRANCH-2-2 has been updated
       via  ef50fdf82a459894ed3da7b9be83f89658f1eaba (commit)
      from  04fb76684d8b2c9cda2e5c35bad6edec521cffa5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ef50fdf82a459894ed3da7b9be83f89658f1eaba
Author: Werner Koch <wk at gnupg.org>
Date:   Wed Jul 4 08:59:12 2018 +0200

    gpg: Extra check for sign usage when verifying a data signature.
    
    * g10/sig-check.c (check_signature_end_simple): Check sign usage.
    --
    
    Without this patch the signature verification fails only due to the
    missing back signature.  This check better explains what went wrong.
    
    GnuPG-bug-id: 4014
    Signed-off-by: Werner Koch <wk at gnupg.org>
    (cherry picked from commit 214b0077264e35c079e854a8b6374704aea45cd5)

diff --git a/g10/sig-check.c b/g10/sig-check.c
index e5de025..6b9feeb 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -479,8 +479,17 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
                   sig->sig_class, pk->pubkey_usage);
       return rc;
     }
-  /* Fixme: Should we also check the signing capability here for data
-   * signature?  */
+
+  /* For data signatures check that the key has sign usage.  */
+  if (IS_SIG (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_SIG))
+    {
+      rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+      if (!opt.quiet)
+        log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"),
+                  keystr_from_pk (pk), gpg_strerror (rc),
+                  sig->sig_class, pk->pubkey_usage);
+      return rc;
+    }
 
   /* Make sure the digest algo is enabled (in case of a detached
    * signature).  */

-----------------------------------------------------------------------

Summary of changes:
 g10/sig-check.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list