ALHP/ALHP.GO
7
44
Fork 8
Code Issues 30 Pull Requests Projects Releases Wiki Activity

drop KEYEXPIRED check to avoid overmatch on unrelated expired keys

Browse Source
This commit is contained in:
Giovanni Harting
2026-04-25 22:23:26 +02:00
parent 0820f84ce8
commit b06385069b
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
package.go
View File

@@ -54,8 +54,10 @@ func (pkg Package) Arch() *string {
}
// HasValidSignature returns if package has valid detached signature file.
// Signatures made with a now-expired key (EXPKEYSIG / KEYEXPIRED) or with an expired
// Signatures made with a now-expired key (EXPKEYSIG) or with an expired
// signature timestamp (EXPSIG) are reported invalid even though gpg exits 0 for them.
// KEYEXPIRED is intentionally not matched because GnuPG may emit it for unrelated
// expired keys in the keyring, not just the signing key of this signature.
func (pkg Package) HasValidSignature() (bool, error) {
cmd := exec.Command("gpg", "--verify", "--status-fd", "1", string(pkg)+".sig", string(pkg)) //nolint:gosec
res, err := cmd.CombinedOutput()
@@ -65,7 +67,6 @@ func (pkg Package) HasValidSignature() (bool, error) {
case cmd.ProcessState.ExitCode() == 0:
s := string(res)
if strings.Contains(s, "[GNUPG:] EXPKEYSIG ") ||
strings.Contains(s, "[GNUPG:] KEYEXPIRED ") ||
strings.Contains(s, "[GNUPG:] EXPSIG ") {
return false, nil
}