X-Git-Url: https://git.decadent.org.uk/gitweb/?p=dak.git;a=blobdiff_plain;f=daklib%2Fgpg.py;h=94842083125a5633a27c8dd58e6014568f9c1b9f;hp=6968635ddbe33807d8557e4cf3eeab8ad45a9e50;hb=65695c362eeffaa4f0dad9c2f19ee14b80c9fb0a;hpb=6950766c139c92a6f028d99374d43f80c7741bb6 diff --git a/daklib/gpg.py b/daklib/gpg.py index 6968635d..94842083 100644 --- a/daklib/gpg.py +++ b/daklib/gpg.py @@ -196,6 +196,11 @@ class SignedFile(object): # # if fields[1] == "VALIDSIG": + # GnuPG accepted MD5 as a hash algorithm until gnupg 1.4.20, + # which Debian 8 does not yet include. We want to make sure + # to not accept uploads covered by a MD5-based signature. + if fields[9] == "1": + raise GpgException("Digest algorithm MD5 is not trusted.") self.valid = True self.fingerprints.append(fields[2]) self.primary_fingerprints.append(fields[11])