summaryrefslogtreecommitdiffstats
path: root/g10/keyring.c
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2014-10-31 10:29:02 +0100
committerWerner Koch <wk@gnupg.org>2014-10-31 10:31:11 +0100
commit28ae8ad70b3b802e67344468a4765eee6e291c68 (patch)
tree4869d784c19ceab0c5354bc39a2d4f75bb073751 /g10/keyring.c
parentgpg: Fix testing for secret key availability. (diff)
downloadgnupg2-28ae8ad70b3b802e67344468a4765eee6e291c68.tar.xz
gnupg2-28ae8ad70b3b802e67344468a4765eee6e291c68.zip
gpg: Fix --rebuild-keydb-caches.
* g10/parse-packet.c (parse_key): Store even unsupported packet versions. * g10/keyring.c (keyring_rebuild_cache): Do not copy keys with versions less than 4. -- That function, which is implicitly called while checking the keydb, led to corruption of v3 key packets in the keyring which would later spit out "packet(6)too short" messages. Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'g10/keyring.c')
-rw-r--r--g10/keyring.c65
1 files changed, 38 insertions, 27 deletions
diff --git a/g10/keyring.c b/g10/keyring.c
index 6f75b6a78..a1936b3e0 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -1409,40 +1409,51 @@ keyring_rebuild_cache (void *token,int noisy)
goto leave;
}
- /* check all signature to set the signature's cache flags */
- for (node=keyblock; node; node=node->next)
+ if (keyblock->pkt->pkt.public_key->version < 4)
{
- /* Note that this doesn't cache the result of a revocation
- issued by a designated revoker. This is because the pk
- in question does not carry the revkeys as we haven't
- merged the key and selfsigs. It is questionable whether
- this matters very much since there are very very few
- designated revoker revocation packets out there. */
-
- if (node->pkt->pkttype == PKT_SIGNATURE)
+ /* We do not copy/cache v3 keys or any other unknown
+ packets. It is better to remove them from the keyring.
+ The code required to keep them in the keyring would be
+ too complicated. Given that we do not touch the old
+ secring.gpg a suitable backup for decryption of v3 stuff
+ using an older gpg version will always be available. */
+ }
+ else
+ {
+ /* Check all signature to set the signature's cache flags. */
+ for (node=keyblock; node; node=node->next)
{
- PKT_signature *sig=node->pkt->pkt.signature;
+ /* Note that this doesn't cache the result of a
+ revocation issued by a designated revoker. This is
+ because the pk in question does not carry the revkeys
+ as we haven't merged the key and selfsigs. It is
+ questionable whether this matters very much since
+ there are very very few designated revoker revocation
+ packets out there. */
+ if (node->pkt->pkttype == PKT_SIGNATURE)
+ {
+ PKT_signature *sig=node->pkt->pkt.signature;
- if(!opt.no_sig_cache && sig->flags.checked && sig->flags.valid
- && (openpgp_md_test_algo(sig->digest_algo)
- || openpgp_pk_test_algo(sig->pubkey_algo)))
- sig->flags.checked=sig->flags.valid=0;
- else
- check_key_signature (keyblock, node, NULL);
+ if(!opt.no_sig_cache && sig->flags.checked && sig->flags.valid
+ && (openpgp_md_test_algo(sig->digest_algo)
+ || openpgp_pk_test_algo(sig->pubkey_algo)))
+ sig->flags.checked=sig->flags.valid=0;
+ else
+ check_key_signature (keyblock, node, NULL);
- sigcount++;
+ sigcount++;
+ }
}
- }
- /* write the keyblock to the temporary file */
- rc = write_keyblock (tmpfp, keyblock);
- if (rc)
- goto leave;
-
- if ( !(++count % 50) && noisy && !opt.quiet)
- log_info(_("%lu keys cached so far (%lu signatures)\n"),
- count, sigcount );
+ /* Write the keyblock to the temporary file. */
+ rc = write_keyblock (tmpfp, keyblock);
+ if (rc)
+ goto leave;
+ if ( !(++count % 50) && noisy && !opt.quiet)
+ log_info(_("%lu keys cached so far (%lu signatures)\n"),
+ count, sigcount );
+ }
} /* end main loop */
if (rc == -1)
rc = 0;