View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000012 | Main CAcert Website | GPG/PGP | public | 2005-09-06 07:56 | 2013-01-13 13:38 |
| Reporter | Sourcerer | Assigned To | Sourcerer | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2009 Q2 | ||||
| Summary | 0000012: revoked subkeys are also tried to be signed | ||||
| Description | Currently, when you try to get your GPG/PGP key signed by CAcert, the system ignores the revocation of subkeys, and also tries to verify and sign them. Instead, the system should ignore and not sign those subkeys instead. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
2005-09-06 08:00
|
gpg_revoke.diff (1,073 bytes)
--- cacert_orig/www/gpg.php 2005-02-16 19:12:13.000000000 +0100
+++ cacert/www/gpg.php 2005-08-21 03:10:00.000000000 +0200
@@ -36,21 +36,33 @@
if($oldid == "0")
{
$gpgkey = $_POST['CSR'];
- $gpg = `echo "$gpgkey"|gpg --with-colons --homedir /tmp 2>&1`;
+ $gpg = `echo "$gpgkey"|gpg --with-colons -v --homedir /tmp 2>&1`;
+ $gpgarray = explode("\n", $gpg);
$lines = "";
- foreach(explode("\n", $gpg) as $line)
+ $skip = 0;
+ for($i=count($gpgarray)-1; $i >= 0; $i--)
{
- if(substr($line, 0, 3) == "pub" || substr($line, 0, 3) == "uid")
+ if(substr($gpgarray[$i], 0, 3) == "rev")
{
+ $skip=1;
+ continue;
+ }
+ if(substr(gpgarray[$i], 0, 3) == "pub" || substr(gpgarray[$i], 0, 3) == "uid")
+ {
+ if($skip)
+ {
+ $skip = 0;
+ continue;
+ }
if($lines != "")
$lines .= "\n";
- $lines .= $line;
+ $lines .= gpgarray[$i];
}
}
$gpg = $lines;
$expires = 0;
- foreach(explode("\n", $gpg) as $line)
+ foreach($gpgarray as $line)
{
$name = $comment = "";
$bits = explode(":", $line);
|
|
|
Attached is the first version of a patch from HAL (nickname). He started to work on it, and sent me his first version. Unfortunatley, the flood water in Switzerland affected his region, and he wasn ´t seen often since then. So I guess it will be better if someone else tries to finish it and integrate it. (I hope he doesn´t mind ...) |
|
|
The current system and the patch fail to handle key signing correctly. The correct way to do key signing would be to loop through each UID and sign them individually then email them on an individual basis to the user. |
|
|
If proof of possession was implemented it should also incorporate skipping revoked keys. I've seen one implementation of this where the key is imported and then all sub-keys are removed except one, and then the key is removed, then the key is reimported and all sub-keys except one is removed until they are all signed, very hackish and the best solution at present short of re-writing the GPG binaries... |
|
|
The system does not sign revoked subkeys anymore. It also does not stop processing the other UIDs anymore, when a revoked subkey does not verify. The only open issue is that it displays revoked subkeys in green, which is due to a limitation of GnuPG. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2005-09-06 07:56 | Sourcerer | New Issue | |
| 2005-09-06 08:00 | Sourcerer | File Added: gpg_revoke.diff | |
| 2005-09-06 08:01 | Sourcerer | Note Added: 0000004 | |
| 2005-09-06 08:10 | duane | Note Added: 0000005 | |
| 2005-11-22 21:13 | duane | Relationship added | has duplicate 0000043 |
| 2005-11-22 21:20 | duane | Relationship added | child of 0000013 |
| 2005-11-22 21:23 | duane | Note Added: 0000034 | |
| 2006-08-16 19:31 | duane | Status | new => needs work |
| 2006-08-16 19:31 | duane | Assigned To | => Sourcerer |
| 2007-10-24 05:11 | evaldo | Relationship added | related to 0000460 |
| 2009-04-19 23:19 | Sourcerer | Note Added: 0001375 | |
| 2009-04-19 23:19 | Sourcerer | Status | needs work => solved? |
| 2009-04-26 14:54 | Sourcerer | Status | solved? => closed |
| 2009-04-26 14:54 | Sourcerer | Resolution | open => fixed |
| 2013-01-13 13:38 | Werner Dworak | Fixed in Version | => 2009 Q2 |
