Bug#642480: (no subject)
On Fri, Sep 23, 2011 at 11:12:17AM +0200, Alexander Neumann wrote:
> Hi,
>
> * Georgi Guninski <guninski@guninski.com> wrote:
> > i am not sure --check-sigs will fix this.
>
> I am pretty sure that check-sigs will not fix this :)
>
> > the keyring contains the colliding ID pub key and according to my tests
> > --check-sigs works too on ubuntu - the signatures are correct and the keys
> > are present.
>
> What do you mean by "works too on ubuntu"?
>
> When called with --list-sigs, the output is the same as when gpg is called
> with --check-sigs, just an exclamation mark is added:
>
> $ gpg --no-default-keyring --keyring ./ubuntu-archive-keyring.gpg --with-colons --list-sigs DB046AD3 | grep -v pub
> [...]
> sig:::17:8B56ED98DB046AD3:2011-09-21::::ubun1 <ubun1@aaaaaaa>:13x:
> sig:::17:8B56ED98DB046AD3:2011-09-21::::ubun1 <ubun1@aaaaaaa>:18x:
>
> $ gpg --no-default-keyring --keyring ./ubuntu-archive-keyring.gpg --with-colons --check-sigs DB046AD3 | grep -v pub
> [...]
> sig:!::17:8B56ED98DB046AD3:2011-09-21::::ubun1 <ubun1@aaaaaaa>:13x:
> sig:!::17:8B56ED98DB046AD3:2011-09-21::::ubun1 <ubun1@aaaaaaa>:18x:
>
> This suggests that it makes no difference whether gpg is called with
> list-sigs or check-sigs here.
>
this is exactly my point - there is no difference, so --check-sig is
useless.
sorry for not being clear enough.
btw, even if vanilla debian is not vulnerable, IMO this should be fixed
or ditched because someone might chose to use the buggy code.
--
joro
Reply to: