From 65695c362eeffaa4f0dad9c2f19ee14b80c9fb0a Mon Sep 17 00:00:00 2001 From: Ansgar Burchardt Date: Sat, 16 Jan 2016 15:48:11 +0100 Subject: [PATCH] Do not consider MD5-based signatures valid --- daklib/gpg.py | 5 +++++ tests/fixtures/gpg/md5.asc | 13 +++++++++++++ tests/test_gpg.py | 4 ++++ 3 files changed, 22 insertions(+) create mode 100644 tests/fixtures/gpg/md5.asc diff --git a/daklib/gpg.py b/daklib/gpg.py index 6968635d..94842083 100644 --- a/daklib/gpg.py +++ b/daklib/gpg.py @@ -196,6 +196,11 @@ class SignedFile(object): # # if fields[1] == "VALIDSIG": + # GnuPG accepted MD5 as a hash algorithm until gnupg 1.4.20, + # which Debian 8 does not yet include. We want to make sure + # to not accept uploads covered by a MD5-based signature. + if fields[9] == "1": + raise GpgException("Digest algorithm MD5 is not trusted.") self.valid = True self.fingerprints.append(fields[2]) self.primary_fingerprints.append(fields[11]) diff --git a/tests/fixtures/gpg/md5.asc b/tests/fixtures/gpg/md5.asc new file mode 100644 index 00000000..accf6398 --- /dev/null +++ b/tests/fixtures/gpg/md5.asc @@ -0,0 +1,13 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: MD5 + +Message generated with 'gpg2 --digest-algo=md5 --clearsign' +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iJwEAQEBAAYFAlaP2k4ACgkQy51cWChgboRBWAQAqMnBlLPbOrTHY6uJUIf2/qBI +Bqj9GspTdOyalwnRYY0NC7WTAvhgNig2/xsqHoj0zqYyINNu2ocsMUEWfmO20JAa +3b1I1BifEGJbrr8Y7WVO80HCcrKmFi18cqRzdgD2e7zwR3Dvf8PEZFcLPIAKy6JY +nKbgHVdvcVXLr9mj61o= +=5qF0 +-----END PGP SIGNATURE----- diff --git a/tests/test_gpg.py b/tests/test_gpg.py index 7c051968..e7ec86af 100755 --- a/tests/test_gpg.py +++ b/tests/test_gpg.py @@ -69,5 +69,9 @@ class GpgTest(DakTestCase): with self.assertRaises(GpgException): verify('gpg/plaintext.txt') + def test_md5_assertion(self): + with self.assertRaises(GpgException): + verify('gpg/md5.asc') + if __name__ == '__main__': unittest.main() -- 2.39.2