Merge pull request #353 from roddhjav/master

Ensure the gpg key is trusted.
This commit is contained in:
Jaromil 2019-06-28 09:12:28 +02:00 committed by GitHub
commit 1a93481480
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 14 additions and 1 deletions

View File

@ -48,4 +48,10 @@ test_expect_success 'Testing tomb with GnuPG keys and shared tomb' '
tt_close
'
test_export "untrusted"
test_expect_success 'Testing tomb creation with untrusted GnuPG keys' '
tt_dig -s 20 &&
test_must_fail tt_forge -g -r $KEY_UNTRUSTED
'
test_done

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -67,6 +67,7 @@ export KEY1="A4857CD176B31435F9709D25F0E573B8289439CD"
export KEY2="0B2235E660753AB0475FB3E23DC836481F44B31E"
export SUBKEY1="D89BE71A935779961C130E50D9D7ACED39D3991C!"
export SUBKEY2="843077BF7FD4A9C7BBFC3A69F065568B4F7D6CA9!"
export KEY_UNTRUSTED="E6195F61F5EBA81FE4B1565AAC844B92004240CD"
chmod 700 "$GNUPGHOME"

8
tomb
View File

@ -953,16 +953,22 @@ _ensure_dependencies() {
is_valid_recipients() {
typeset -a recipients
recipients=($@)
trusted=(m f u w s)
_verbose "is_valid_recipients"
# All the keys ID must be valid (the public keys must be present in the database)
for gpg_id in ${recipients[@]}; do
gpg --with-colons --batch --list-keys "$gpg_id" &> /dev/null
trust="$(gpg --with-colons --batch --list-keys "$gpg_id" 2> /dev/null |
awk 'BEGIN { FS=":" } /^pub/ { print $2; exit}')"
[[ $? != 0 ]] && {
_warning "Not a valid GPG key ID: ::1 gpgid:: " $gpg_id
return 1
}
[[ ${trusted[(r)$trust]} != $trust ]] && {
_warning "The key ::1 gpgid:: is not trusted enough" $gpg_id
return 1
}
done
# At least one private key must be present