fix(trust): do not count revoked main keys for packager trust
If a main key is revoked we do not want to use those keys to count the required trust threshold.
This commit is contained in:
parent
bae4859fd8
commit
f908838822
@ -85,6 +85,14 @@ def certificate_trust( # noqa: ignore=C901
|
||||
"""
|
||||
|
||||
fingerprint: Fingerprint = Fingerprint(certificate.name)
|
||||
keyring_root = certificate.parent.parent.parent
|
||||
|
||||
# collect revoked main keys
|
||||
main_keys_revoked: Set[Fingerprint] = set()
|
||||
for main_key in main_keys:
|
||||
for revocation in keyring_root.glob(f"main/*/{main_key}/revocation/*.asc"):
|
||||
if main_key.endswith(revocation.stem):
|
||||
main_keys_revoked.add(main_key)
|
||||
|
||||
revocations: Set[Fingerprint] = set()
|
||||
# TODO: what about direct key revocations/signatures?
|
||||
@ -131,6 +139,9 @@ def certificate_trust( # noqa: ignore=C901
|
||||
# only take main key certifications into account
|
||||
if not contains_fingerprint(fingerprints=main_keys, fingerprint=issuer):
|
||||
continue
|
||||
# do not care about revoked main keys
|
||||
if contains_fingerprint(fingerprints=main_keys_revoked, fingerprint=issuer):
|
||||
continue
|
||||
# do not care about certifications that are revoked
|
||||
if contains_fingerprint(fingerprints=revocations, fingerprint=issuer):
|
||||
continue
|
||||
|
@ -161,6 +161,23 @@ def test_certificate_trust_three_main_signature_gives_full_trust(working_dir: Pa
|
||||
assert Trust.full == trust
|
||||
|
||||
|
||||
@create_certificate(username=Username("main1"), uids=[Uid("main1 <foo@bar.xyz>")], keyring_type="main")
|
||||
@create_certificate(username=Username("main2"), uids=[Uid("main2 <foo@bar.xyz>")], keyring_type="main")
|
||||
@create_certificate(username=Username("main3"), uids=[Uid("main3 <foo@bar.xyz>")], keyring_type="main")
|
||||
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
|
||||
@create_uid_certification(issuer=Username("main1"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
|
||||
@create_uid_certification(issuer=Username("main2"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
|
||||
@create_uid_certification(issuer=Username("main3"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
|
||||
@create_key_revocation(username=Username("main3"), keyring_type="main")
|
||||
def test_certificate_trust_three_main_signature_one_revoked(working_dir: Path, keyring_dir: Path) -> None:
|
||||
trust = certificate_trust(
|
||||
test_keyring_certificates[Username("foobar")][0],
|
||||
test_main_fingerprints,
|
||||
test_all_fingerprints,
|
||||
)
|
||||
assert Trust.marginal == trust
|
||||
|
||||
|
||||
@create_certificate(username=Username("main"), uids=[Uid("main <foo@bar.xyz>")], keyring_type="main")
|
||||
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
|
||||
@create_key_revocation(username=Username("foobar"))
|
||||
|
Loading…
Reference in New Issue
Block a user