[PATCH] Accept "key-missing" from a signature from a revoked key

Subject: [PATCH] Accept "key-missing" from a signature from a revoked key

Date: Thu, 27 Feb 2025 13:18:55 -0500

Cc:

We have traditionally expected a signature to show up as "revoked"
when the signing key is revoked.  However, GnuPG's recent fix to avoid
a denial of service against legitimate signatures appears to have
changed the status of signature verification from keys which happen to
have been revoked.

See https://bugs.debian.org/1098995 and https://dev.gnupg.org/T7547

This change makes the test suite a little bit less brittle while we
look for a resolution from upstream.  It should probably also be
backported to debian unstable unless a notmuch release to unstable is
imminent.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 test/T350-crypto.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/T350-crypto.sh b/test/T350-crypto.sh
index 27c0e86d..712a0c07 100755
--- a/test/T350-crypto.sh
+++ b/test/T350-crypto.sh
@@ -453,6 +453,7 @@ y
     | gpg --no-tty --quiet --import
 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
     | notmuch_json_show_sanitize \
+    | sed -e 's/"key-\(revoked\|missing\)"/"key-revoked"/g' \
     | sed -e 's|"created": [1234567890]*|"created": 946728000|')
 expected='[[[{"id": "XXXXX",
  "match": true,
-- 
2.47.2

_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Previous message (by thread): [PATCH] Accept "key-missing" from a signature from a revoked key

Thread:

Daniel Kahn Gillmor—[PATCH] Accept "key-missing" from a signature from a revoked key [inbox, unread]