[dak/master] Reject uploads using weak signatures
---
daklib/archive.py | 1 +
daklib/checks.py | 14 ++++++++++++++
2 files changed, 15 insertions(+)
diff --git a/daklib/archive.py b/daklib/archive.py
index a4bcf7e..42b2af5 100644
--- a/daklib/archive.py
+++ b/daklib/archive.py
@@ -960,6 +960,7 @@ class ArchiveUpload(object):
# Validate signatures and hashes before we do any real work:
for chk in (
checks.SignatureAndHashesCheck,
+ checks.WeakSignatureCheck,
checks.SignatureTimestampCheck,
checks.ChangesCheck,
checks.ExternalHashesCheck,
diff --git a/daklib/checks.py b/daklib/checks.py
index 9916cc7..0121e59 100644
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -168,6 +168,20 @@ class SignatureAndHashesCheck(Check):
except daklib.upload.UploadException as e:
raise Reject('{0}: {1}'.format(filename, unicode(e)))
+class WeakSignatureCheck(Check):
+ """Check that .changes and .dsc are not signed using a weak algorithm"""
+ def check(self, upload):
+ changes = upload.changes
+ if changes.weak_signature:
+ raise Reject("The .changes was signed using a weak algorithm (such as SHA-1)")
+
+ source = changes.source
+ if source is not None:
+ if source.weak_signature:
+ raise Reject("The source package was signed using a weak algorithm (such as SHA-1)")
+
+ return True
+
class SignatureTimestampCheck(Check):
"""Check timestamp of .changes signature"""
def check(self, upload):
--
2.1.4
Reply to: