X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=daklib%2Fgpg.py;h=94842083125a5633a27c8dd58e6014568f9c1b9f;hb=80108bebf0307acfc27d586e6faffe193199b14b;hp=758b5b6251c6ef810baf9126ececf51f2370f287;hpb=4c4d817b9eee1195b84bb1ec642449485fa4c0ee;p=dak.git

diff --git a/daklib/gpg.py b/daklib/gpg.py
index 758b5b62..94842083 100644
--- a/daklib/gpg.py
+++ b/daklib/gpg.py
@@ -81,7 +81,7 @@ class SignedFile(object):
         self.expired = False
         self.invalid = False
         self.fingerprints = []
-        self.primary_finterprints = []
+        self.primary_fingerprints = []
         self.signature_ids = []
 
         self._verify(data, require_signature)
@@ -196,6 +196,11 @@ class SignedFile(object):
         #             <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
         #             <hash-algo> <sig-class> <primary-key-fpr>
         if fields[1] == "VALIDSIG":
+            # GnuPG accepted MD5 as a hash algorithm until gnupg 1.4.20,
+            # which Debian 8 does not yet include.  We want to make sure
+            # to not accept uploads covered by a MD5-based signature.
+            if fields[9] == "1":
+                raise GpgException("Digest algorithm MD5 is not trusted.")
             self.valid = True
             self.fingerprints.append(fields[2])
             self.primary_fingerprints.append(fields[11])