fix(trust): do not count revoked main keys for packager trust

If a main key is revoked we do not want to use those keys to count
the required trust threshold.
This commit is contained in:
Levente Polyak 2022-02-25 21:36:35 +01:00
parent bae4859fd8
commit f908838822
No known key found for this signature in database
GPG Key ID: FC1B547C8D8172C8
2 changed files with 28 additions and 0 deletions

View File

@ -85,6 +85,14 @@ def certificate_trust( # noqa: ignore=C901
"""
fingerprint: Fingerprint = Fingerprint(certificate.name)
keyring_root = certificate.parent.parent.parent
# collect revoked main keys
main_keys_revoked: Set[Fingerprint] = set()
for main_key in main_keys:
for revocation in keyring_root.glob(f"main/*/{main_key}/revocation/*.asc"):
if main_key.endswith(revocation.stem):
main_keys_revoked.add(main_key)
revocations: Set[Fingerprint] = set()
# TODO: what about direct key revocations/signatures?
@ -131,6 +139,9 @@ def certificate_trust( # noqa: ignore=C901
# only take main key certifications into account
if not contains_fingerprint(fingerprints=main_keys, fingerprint=issuer):
continue
# do not care about revoked main keys
if contains_fingerprint(fingerprints=main_keys_revoked, fingerprint=issuer):
continue
# do not care about certifications that are revoked
if contains_fingerprint(fingerprints=revocations, fingerprint=issuer):
continue

View File

@ -161,6 +161,23 @@ def test_certificate_trust_three_main_signature_gives_full_trust(working_dir: Pa
assert Trust.full == trust
@create_certificate(username=Username("main1"), uids=[Uid("main1 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("main2"), uids=[Uid("main2 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("main3"), uids=[Uid("main3 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
@create_uid_certification(issuer=Username("main1"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_uid_certification(issuer=Username("main2"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_uid_certification(issuer=Username("main3"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_key_revocation(username=Username("main3"), keyring_type="main")
def test_certificate_trust_three_main_signature_one_revoked(working_dir: Path, keyring_dir: Path) -> None:
trust = certificate_trust(
test_keyring_certificates[Username("foobar")][0],
test_main_fingerprints,
test_all_fingerprints,
)
assert Trust.marginal == trust
@create_certificate(username=Username("main"), uids=[Uid("main <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
@create_key_revocation(username=Username("foobar"))