Comment 5 for bug 356012
Revision history for this message
| Michael Vogt (mvo) wrote Re: [SECURITY] APT does not properly handle expired or revoked key signatures | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
My reading of the above is that the gpg method should check for GOODSIG and only accept signatures that have that, VALIDSIG is not enough. This looks like it might be trick to do without adding new strings :/
It also needs to be verified that all versions of gpgv (back down to dapper) behave consistently in the way that is shown above. The test above was done using jaunty.