PGPainless/pgpainless
PGPainless
/
pgpainless
mirror of https://github.com/pgpainless/pgpainless.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix accidental verification of thirdparty user-id revocations using primary key

This commit is contained in:
Paul Schaub 2022-03-07 14:56:37 +01:00
parent fc65bb4496
commit f1f7dec8b6
Signed by: vanitasvitae
GPG Key ID: 62BEE9264BF17311
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
View File

@ -169,6 +169,11 @@ public final class SignaturePicker {
PGPSignature latestUserIdRevocation = null;
for (PGPSignature signature : signatures) {
PGPPublicKey signer = keyRing.getPublicKey(signature.getKeyID());
if (signer == null) {
// Signature made by external key. Skip.
continue;
}
try {
SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
} catch (SignatureValidationException e) {