PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-01-09 19:57:57 +01:00
Code Issues Releases Wiki Activity

Fix accidental verification of thirdparty user-id revocations using primary key

Browse source
This commit is contained in:
Paul Schaub 2022-03-07 14:56:37 +01:00
parent fc65bb4496
commit f1f7dec8b6
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignaturePicker.java
View file

@ -169,6 +169,11 @@ public final class SignaturePicker {
PGPSignature latestUserIdRevocation = null; PGPSignature latestUserIdRevocation = null;
for (PGPSignature signature : signatures) { for (PGPSignature signature : signatures) {
PGPPublicKey signer = keyRing.getPublicKey(signature.getKeyID());
if (signer == null) {
// Signature made by external key. Skip.
continue;
}
try { try {
SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate); SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {