commit: e99355fe9149356d33f4ae7d81525db19bc54e61
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 21 11:59:31 2025 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Oct 24 18:45:33 2025 +0000
URL: https://gitweb.gentoo.org/proj/gemato.git/commit/?id=e99355fe
openpgp: Explicitly reject keys with no valid UIDs
Explicitly detect keys that have no self-signatures (via missing UID
creation date) and reject them while importing. This is needed to match
GnuPG behavior when using sequoia-chameleon-gnupg.
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
gemato/openpgp.py | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/gemato/openpgp.py b/gemato/openpgp.py
index e7fbe6a..f5ead9f 100644
--- a/gemato/openpgp.py
+++ b/gemato/openpgp.py
@@ -156,7 +156,6 @@ class SystemGPGEnvironment:
prev_pub = None
fpr = None
ret = {}
-
for line in out.splitlines():
# were we expecting a fingerprint?
if prev_pub is not None:
@@ -182,7 +181,14 @@ class SystemGPGEnvironment:
if fpr is None:
raise OpenPGPKeyListingError(
f'UID without key in GPG output: {line}')
- uid = line.split(b':')[9]
+ uid_split = line.split(b":", 10)
+ uid = uid_split[9]
+ # no creation date means missing/broken self-sig
+ if not uid_split[5]:
+ LOGGER.debug(
+ f"list_keys(): skipping UID with missing self-sig: "
+ f"{fpr=}, {uid=!r}")
+ continue
LOGGER.debug(f'list_keys(): UID: {uid}')
ret[fpr].append(uid)
@@ -540,6 +546,14 @@ debug-level guru
if not fprs:
raise OpenPGPKeyImportError("No keys imported")
+ imported = self.list_keys(list(fprs))
+ missing = fprs - {fpr for fpr, uids in imported.items() if uids}
+ if missing:
+ raise OpenPGPKeyImportError(
+ "Import succeeded but no valid key for fingerprints: "
+ f"{missing}"
+ )
+
if trust:
self._trusted_keys.update(fprs)
ownertrust = ''.join(f'{fpr}:6:\n' for fpr in fprs).encode('utf8')
