Add by-hash support

[dak.git] / daklib / gpg.py

diff --git a/daklib/gpg.py b/daklib/gpg.py
index 758b5b6251c6ef810baf9126ececf51f2370f287..94842083125a5633a27c8dd58e6014568f9c1b9f 100644 (file)
--- a/daklib/gpg.py
+++ b/daklib/gpg.py
@@ -81,7 +81,7 @@ class SignedFile(object):
         self.expired = False
         self.invalid = False
         self.fingerprints = []
-        self.primary_finterprints = []
+        self.primary_fingerprints = []
         self.signature_ids = []
 
         self._verify(data, require_signature)
@@ -196,6 +196,11 @@ class SignedFile(object):
         #             <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
         #             <hash-algo> <sig-class> <primary-key-fpr>
         if fields[1] == "VALIDSIG":
+            # GnuPG accepted MD5 as a hash algorithm until gnupg 1.4.20,
+            # which Debian 8 does not yet include.  We want to make sure
+            # to not accept uploads covered by a MD5-based signature.
+            if fields[9] == "1":
+                raise GpgException("Digest algorithm MD5 is not trusted.")
             self.valid = True
             self.fingerprints.append(fields[2])
             self.primary_fingerprints.append(fields[11])