Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

>
> Please see the attached patch.
>
>        --dkg
>
> From 6d7f5791830c6d3e7607812116e63c866f3c587c Mon Sep 17 00:00:00 2001
> From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
> Date: Thu, 27 Feb 2025 13:14:08 -0500
> Subject: [PATCH] Accept "key-missing" from a signature from a revoked key
>
> We have traditionally expected a signature to show up as "revoked"
> when the signing key is revoked.  However, GnuPG's recent fix to avoid
> a denial of service against legitimate signatures appears to have
> changed the status of signature verification from keys which happen to
> have been revoked.
>
> See https://bugs.debian.org/1098995 and https://dev.gnupg.org/T7547
>
> This change makes the test suite a little bit less brittle while we
> look for a resolution from upstream.  It should probably also be
> backported to debian unstable unless a notmuch release to unstable is
> imminent.
>
> Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
> ---
>  test/T350-crypto.sh | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/test/T350-crypto.sh b/test/T350-crypto.sh
> index 27c0e86d..712a0c07 100755
> --- a/test/T350-crypto.sh
> +++ b/test/T350-crypto.sh
> @@ -453,6 +453,7 @@ y
>      | gpg --no-tty --quiet --import
>  output=$(notmuch show --format=json --verify subject:"test signed message 001" \
>      | notmuch_json_show_sanitize \
> +    | sed -e 's/"key-\(revoked\|missing\)"/"key-revoked"/g' \
>      | sed -e 's|"created": [1234567890]*|"created": 946728000|')
>  expected='[[[{"id": "XXXXX",
>   "match": true,
> -- 
> 2.47.2

I have applied this patch to the release and master branches.  It will
be part of 0.39~rc2 or 0.39.
_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org