gnupg-2.5.20-gpgme-poppler-expire.patch (3888B)
1 https://bugs.gentoo.org/976749 2 3 From 32f56a2732f0ac6204aad946388789cdbb0e26eb Mon Sep 17 00:00:00 2001 4 Message-ID: <32f56a2732f0ac6204aad946388789cdbb0e26eb.1781166873.git.sam@gentoo.org> 5 From: Philip Le <philip.le@gnupg.com> 6 Date: Thu, 21 May 2026 14:46:46 +0200 7 Subject: [PATCH GnuPG] gpgsm: Fix regression in gpgsm_verify with expired 8 certificates. 9 10 * sm/verify.c (gpgsm_verify): Display information about signers with 11 expired certificate. 12 -- 13 14 The loop over signers skipped the parsing of the current signer's 15 information if the certificate is expired. 16 17 GnuPG-bug-id: 8188 18 Fixes-commit: fa1ac5c23d167dde6899536d6d80d9391737d21e 19 --- 20 sm/verify.c | 68 ++++++++++++++++++++++++++--------------------------- 21 1 file changed, 34 insertions(+), 34 deletions(-) 22 23 diff --git a/sm/verify.c b/sm/verify.c 24 index e56e0674e..e48b8e374 100644 25 --- a/sm/verify.c 26 +++ b/sm/verify.c 27 @@ -615,6 +615,40 @@ gpgsm_verify (ctrl_t ctrl, estream_t in_fp, estream_t data_fp, 28 keyexptime, 0, 29 NULL, 0, &verifyflags); 30 31 + { 32 + char *fpr, *buf, *tstr; 33 + 34 + fpr = gpgsm_fpr_and_name_for_status (cert); 35 + if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED) 36 + { 37 + gpgsm_status (ctrl, STATUS_EXPKEYSIG, fpr); 38 + rc = 0; 39 + } 40 + else 41 + gpgsm_status (ctrl, STATUS_GOODSIG, fpr); 42 + 43 + xfree (fpr); 44 + 45 + /* FIXME: INFO_PKALGO correctly shows ECDSA but PKALGO is then 46 + * ECC. We should use the ECDSA here and need to find a way to 47 + * figure this out without using the bogus assumption in 48 + * gpgsm_check_cms_signature that ECC is always ECDSA. */ 49 + 50 + fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); 51 + tstr = strtimestamp_r (sigtime); 52 + buf = xasprintf ("%s %s %s %s 0 0 %d %d 00", fpr, tstr, 53 + *sigtime? sigtime : "0", 54 + *keyexptime? keyexptime : "0", 55 + info_pkalgo, algo); 56 + xfree (tstr); 57 + /* Handle the --assert-signer option. */ 58 + check_assert_signer_list (ctrl, fpr); 59 + xfree (fpr); 60 + /* Print the status line. */ 61 + gpgsm_status (ctrl, STATUS_VALIDSIG, buf); 62 + xfree (buf); 63 + } 64 + 65 audit_log_ok (ctrl->audit, AUDIT_CHAIN_STATUS, rc); 66 if (rc) /* of validate_chain */ 67 { 68 @@ -671,40 +705,6 @@ gpgsm_verify (ctrl_t ctrl, estream_t in_fp, estream_t data_fp, 69 goto next_signer; 70 } 71 72 - { 73 - char *fpr, *buf, *tstr; 74 - 75 - fpr = gpgsm_fpr_and_name_for_status (cert); 76 - if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED) 77 - { 78 - gpgsm_status (ctrl, STATUS_EXPKEYSIG, fpr); 79 - rc = 0; 80 - } 81 - else 82 - gpgsm_status (ctrl, STATUS_GOODSIG, fpr); 83 - 84 - xfree (fpr); 85 - 86 - /* FIXME: INFO_PKALGO correctly shows ECDSA but PKALGO is then 87 - * ECC. We should use the ECDSA here and need to find a way to 88 - * figure this out without using the bogus assumption in 89 - * gpgsm_check_cms_signature that ECC is always ECDSA. */ 90 - 91 - fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); 92 - tstr = strtimestamp_r (sigtime); 93 - buf = xasprintf ("%s %s %s %s 0 0 %d %d 00", fpr, tstr, 94 - *sigtime? sigtime : "0", 95 - *keyexptime? keyexptime : "0", 96 - info_pkalgo, algo); 97 - xfree (tstr); 98 - /* Handle the --assert-signer option. */ 99 - check_assert_signer_list (ctrl, fpr); 100 - xfree (fpr); 101 - /* Print the status line. */ 102 - gpgsm_status (ctrl, STATUS_VALIDSIG, buf); 103 - xfree (buf); 104 - } 105 - 106 audit_log_s (ctrl->audit, AUDIT_SIG_STATUS, "good"); 107 108 for (i=0; (p = ksba_cert_get_subject (cert, i)); i++) 109 -- 110 2.54.0 111