Bug#1098995: notmuch: test suite regressions with fixed GnuPG

Thu, 27 Feb 2025 10:24:14 -0800 

Control: tags 1098995 + patch

On Thu 2025-02-27 12:59:44 -0500, Daniel Kahn Gillmor wrote:
> On Wed 2025-02-26 21:44:21 -0500, Daniel Kahn Gillmor wrote:
>
>> GnuPG recently fixed a denial of service for signature verification in
>> the keyring on its master branch: https://dev.gnupg.org/T7527
>>
>> However, when i backport the fix for this DoS to debian (2.2.46-2), i
>> get this failure in the notmuch test suite, in T350-crypto.sh:
>
> So this is definitely a change in GnuPG behavior, as reported upstream
> at https://dev.gnupg.org/T7547
>
> Not sure the best way to handle this with notmuch, but perhaps we can
> make a workaround in the notmuch test suite (e.g. accepting either
> "key-revoked" or "key-missing") until we see whether upstream offers a
> resolution.

Please see the attached patch.

       --dkg


From 6d7f5791830c6d3e7607812116e63c866f3c587c Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Thu, 27 Feb 2025 13:14:08 -0500
Subject: [PATCH] Accept "key-missing" from a signature from a revoked key

We have traditionally expected a signature to show up as "revoked"
when the signing key is revoked.  However, GnuPG's recent fix to avoid
a denial of service against legitimate signatures appears to have
changed the status of signature verification from keys which happen to
have been revoked.

See https://bugs.debian.org/1098995 and https://dev.gnupg.org/T7547

This change makes the test suite a little bit less brittle while we
look for a resolution from upstream.  It should probably also be
backported to debian unstable unless a notmuch release to unstable is
imminent.

Signed-off-by: Daniel Kahn Gillmor <d...@fifthhorseman.net>
---
 test/T350-crypto.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/T350-crypto.sh b/test/T350-crypto.sh
index 27c0e86d..712a0c07 100755
--- a/test/T350-crypto.sh
+++ b/test/T350-crypto.sh
@@ -453,6 +453,7 @@ y
     | gpg --no-tty --quiet --import
 output=$(notmuch show --format=json --verify subject:"test signed message 001" \
     | notmuch_json_show_sanitize \
+    | sed -e 's/"key-\(revoked\|missing\)"/"key-revoked"/g' \
     | sed -e 's|"created": [1234567890]*|"created": 946728000|')
 expected='[[[{"id": "XXXXX",
  "match": true,
-- 
2.47.2

Attachment: signature.asc
Description: PGP signature

Reply via email to