ALHP/ALHP.GO
7
44
Fork 8
Code Issues 31 Pull Requests Projects Releases Wiki Activity

treat expired-key signatures as invalid

Browse Source
This commit is contained in:
Giovanni Harting
2026-04-25 22:16:45 +02:00
parent 79bd4fbdc5
commit 0820f84ce8
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
package.go
View File

@@ -53,14 +53,22 @@ func (pkg Package) Arch() *string {
return &fNameSplit[0]
}
// HasValidSignature returns if package has valid detached signature file
// HasValidSignature returns if package has valid detached signature file.
// Signatures made with a now-expired key (EXPKEYSIG / KEYEXPIRED) or with an expired
// signature timestamp (EXPSIG) are reported invalid even though gpg exits 0 for them.
func (pkg Package) HasValidSignature() (bool, error) {
cmd := exec.Command("gpg", "--verify", string(pkg)+".sig") //nolint:gosec
cmd := exec.Command("gpg", "--verify", "--status-fd", "1", string(pkg)+".sig", string(pkg)) //nolint:gosec
res, err := cmd.CombinedOutput()
switch {
case cmd.ProcessState.ExitCode() == 2 || cmd.ProcessState.ExitCode() == 1:
return false, nil
case cmd.ProcessState.ExitCode() == 0:
s := string(res)
if strings.Contains(s, "[GNUPG:] EXPKEYSIG ") ||
strings.Contains(s, "[GNUPG:] KEYEXPIRED ") ||
strings.Contains(s, "[GNUPG:] EXPSIG ") {
return false, nil
}
return true, nil
case err != nil:
return false, fmt.Errorf("error checking signature: %w (%s)", err, res)