From f1f7dec8b6b5cae50c8ffea596418e241fe709ab Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Mon, 7 Mar 2022 14:56:37 +0100
Subject: [PATCH] Fix accidental verification of thirdparty user-id revocations
 using primary key

---
 .../org/pgpainless/signature/consumer/SignaturePicker.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
index 5ab81099..be0c87b7 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
@@ -169,6 +169,11 @@ public final class SignaturePicker {
 
         PGPSignature latestUserIdRevocation = null;
         for (PGPSignature signature : signatures) {
+            PGPPublicKey signer = keyRing.getPublicKey(signature.getKeyID());
+            if (signer == null) {
+                // Signature made by external key. Skip.
+                continue;
+            }
             try {
                 SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
             } catch (SignatureValidationException e) {