X-Git-Url: https://git.decadent.org.uk/gitweb/?p=dak.git;a=blobdiff_plain;f=daklib%2Fgpg.py;h=94842083125a5633a27c8dd58e6014568f9c1b9f;hp=6968635ddbe33807d8557e4cf3eeab8ad45a9e50;hb=391f5ec09a119131dc846b796ca791f4cecc69e4;hpb=e2d9d72396226d289ed802a4be3ae9a16fb2b4a7

diff --git a/daklib/gpg.py b/daklib/gpg.py
index 6968635d..94842083 100644
--- a/daklib/gpg.py
+++ b/daklib/gpg.py
@@ -196,6 +196,11 @@ class SignedFile(object):
         #             <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
         #             <hash-algo> <sig-class> <primary-key-fpr>
         if fields[1] == "VALIDSIG":
+            # GnuPG accepted MD5 as a hash algorithm until gnupg 1.4.20,
+            # which Debian 8 does not yet include.  We want to make sure
+            # to not accept uploads covered by a MD5-based signature.
+            if fields[9] == "1":
+                raise GpgException("Digest algorithm MD5 is not trusted.")
             self.valid = True
             self.fingerprints.append(fields[2])
             self.primary_fingerprints.append(fields[11])