From f1f7dec8b6b5cae50c8ffea596418e241fe709ab Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 7 Mar 2022 14:56:37 +0100 Subject: [PATCH] Fix accidental verification of thirdparty user-id revocations using primary key --- .../org/pgpainless/signature/consumer/SignaturePicker.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java index 5ab81099..be0c87b7 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java @@ -169,6 +169,11 @@ public final class SignaturePicker { PGPSignature latestUserIdRevocation = null; for (PGPSignature signature : signatures) { + PGPPublicKey signer = keyRing.getPublicKey(signature.getKeyID()); + if (signer == null) { + // Signature made by external key. Skip. + continue; + } try { SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate); } catch (SignatureValidationException e) {