Verified Commit f9088388 authored by Levente Polyak's avatar Levente Polyak 🚀
Browse files

fix(trust): do not count revoked main keys for packager trust

If a main key is revoked we do not want to use those keys to count
the required trust threshold.
parent bae4859f
Pipeline #16293 passed with stage
in 1 minute and 20 seconds
......@@ -85,6 +85,14 @@ def certificate_trust( # noqa: ignore=C901
"""
fingerprint: Fingerprint = Fingerprint(certificate.name)
keyring_root = certificate.parent.parent.parent
# collect revoked main keys
main_keys_revoked: Set[Fingerprint] = set()
for main_key in main_keys:
for revocation in keyring_root.glob(f"main/*/{main_key}/revocation/*.asc"):
if main_key.endswith(revocation.stem):
main_keys_revoked.add(main_key)
revocations: Set[Fingerprint] = set()
# TODO: what about direct key revocations/signatures?
......@@ -131,6 +139,9 @@ def certificate_trust( # noqa: ignore=C901
# only take main key certifications into account
if not contains_fingerprint(fingerprints=main_keys, fingerprint=issuer):
continue
# do not care about revoked main keys
if contains_fingerprint(fingerprints=main_keys_revoked, fingerprint=issuer):
continue
# do not care about certifications that are revoked
if contains_fingerprint(fingerprints=revocations, fingerprint=issuer):
continue
......
......@@ -161,6 +161,23 @@ def test_certificate_trust_three_main_signature_gives_full_trust(working_dir: Pa
assert Trust.full == trust
@create_certificate(username=Username("main1"), uids=[Uid("main1 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("main2"), uids=[Uid("main2 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("main3"), uids=[Uid("main3 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
@create_uid_certification(issuer=Username("main1"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_uid_certification(issuer=Username("main2"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_uid_certification(issuer=Username("main3"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_key_revocation(username=Username("main3"), keyring_type="main")
def test_certificate_trust_three_main_signature_one_revoked(working_dir: Path, keyring_dir: Path) -> None:
trust = certificate_trust(
test_keyring_certificates[Username("foobar")][0],
test_main_fingerprints,
test_all_fingerprints,
)
assert Trust.marginal == trust
@create_certificate(username=Username("main"), uids=[Uid("main <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
@create_key_revocation(username=Username("foobar"))
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment