[dak/master] Do not consider MD5-based signatures valid
---
daklib/gpg.py | 5 +++++
tests/fixtures/gpg/md5.asc | 13 +++++++++++++
tests/test_gpg.py | 4 ++++
3 files changed, 22 insertions(+)
create mode 100644 tests/fixtures/gpg/md5.asc
diff --git a/daklib/gpg.py b/daklib/gpg.py
index 6968635..9484208 100644
--- a/daklib/gpg.py
+++ b/daklib/gpg.py
@@ -196,6 +196,11 @@ class SignedFile(object):
# <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
# <hash-algo> <sig-class> <primary-key-fpr>
if fields[1] == "VALIDSIG":
+ # GnuPG accepted MD5 as a hash algorithm until gnupg 1.4.20,
+ # which Debian 8 does not yet include. We want to make sure
+ # to not accept uploads covered by a MD5-based signature.
+ if fields[9] == "1":
+ raise GpgException("Digest algorithm MD5 is not trusted.")
self.valid = True
self.fingerprints.append(fields[2])
self.primary_fingerprints.append(fields[11])
diff --git a/tests/fixtures/gpg/md5.asc b/tests/fixtures/gpg/md5.asc
new file mode 100644
index 0000000..accf639
--- /dev/null
+++ b/tests/fixtures/gpg/md5.asc
@@ -0,0 +1,13 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: MD5
+
+Message generated with 'gpg2 --digest-algo=md5 --clearsign'
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iJwEAQEBAAYFAlaP2k4ACgkQy51cWChgboRBWAQAqMnBlLPbOrTHY6uJUIf2/qBI
+Bqj9GspTdOyalwnRYY0NC7WTAvhgNig2/xsqHoj0zqYyINNu2ocsMUEWfmO20JAa
+3b1I1BifEGJbrr8Y7WVO80HCcrKmFi18cqRzdgD2e7zwR3Dvf8PEZFcLPIAKy6JY
+nKbgHVdvcVXLr9mj61o=
+=5qF0
+-----END PGP SIGNATURE-----
diff --git a/tests/test_gpg.py b/tests/test_gpg.py
index 7c05196..e7ec86a 100755
--- a/tests/test_gpg.py
+++ b/tests/test_gpg.py
@@ -69,5 +69,9 @@ class GpgTest(DakTestCase):
with self.assertRaises(GpgException):
verify('gpg/plaintext.txt')
+ def test_md5_assertion(self):
+ with self.assertRaises(GpgException):
+ verify('gpg/md5.asc')
+
if __name__ == '__main__':
unittest.main()
--
2.1.4
Reply to: