# <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
# <hash-algo> <sig-class> <primary-key-fpr>
if fields[1] == "VALIDSIG":
+ # GnuPG accepted MD5 as a hash algorithm until gnupg 1.4.20,
+ # which Debian 8 does not yet include. We want to make sure
+ # to not accept uploads covered by a MD5-based signature.
+ if fields[9] == "1":
+ raise GpgException("Digest algorithm MD5 is not trusted.")
self.valid = True
self.fingerprints.append(fields[2])
self.primary_fingerprints.append(fields[11])
--- /dev/null
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: MD5
+
+Message generated with 'gpg2 --digest-algo=md5 --clearsign'
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iJwEAQEBAAYFAlaP2k4ACgkQy51cWChgboRBWAQAqMnBlLPbOrTHY6uJUIf2/qBI
+Bqj9GspTdOyalwnRYY0NC7WTAvhgNig2/xsqHoj0zqYyINNu2ocsMUEWfmO20JAa
+3b1I1BifEGJbrr8Y7WVO80HCcrKmFi18cqRzdgD2e7zwR3Dvf8PEZFcLPIAKy6JY
+nKbgHVdvcVXLr9mj61o=
+=5qF0
+-----END PGP SIGNATURE-----
with self.assertRaises(GpgException):
verify('gpg/plaintext.txt')
+ def test_md5_assertion(self):
+ with self.assertRaises(GpgException):
+ verify('gpg/md5.asc')
+
if __name__ == '__main__':
unittest.main()
projects / dak.git / commitdiff