Skip to content

Introduces a proper handle expired GPG signatures - GPGME backend #354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Introduces a proper handle expired GPG signatures - GPGME backend #354

wants to merge 1 commit into from

Conversation

@fhbash
Copy link
Contributor

@fhbash fhbash commented Oct 10, 2025
edited
Loading

This change only affects the gpgme implementation of signature verification.
The rpm implementation (gpg_rpm.c) is not modified as it already rejects expired keys during import.

Changes:

  • Implements proper detection and handling of expired GPG keys and signatures in the gpgme backend (gpg_gpgme.c)
  • Adds support for key rotation: if data is signed with multiple keys and at least one valid, non-expired signature exists, verification succeeds
  • Only fails verification if ALL signatures are either invalid or expired
  • Provides clear error messages distinguishing between expired keys and expired signatures
  • Adds test case to verify expired signature rejection

type: enhancement
resolves partially: #207

Which this PR not resolve: checking using RPM backend
Why: current rpm api doesn't provide an api to check multiple sign/key, RPM team already have and ticket for that and currently not merged, for more details, see: https://issues.redhat.com/browse/RHEL-112394

I created new issue to deal with rpm backend as soons the change on rpm is deployed. Here it is the ticket: #356

Signed-off-by: Fellipe Henrique [email protected]

@fhbash fhbash requested a review from a team as a code owner October 10, 2025 12:39
@fhbash fhbash requested review from ppisar and removed request for a team October 10, 2025 12:39
@ppisar
Copy link
Contributor

ppisar commented Oct 10, 2025

First, librepo has two implementation for key verification: gpgme and rpm. You have only edited gpgme. Probably because rpm rejects expired keys on import. Then the commit message should explicitly describe that this change is only about gpme implementation.

Then I don't think that returning a failure on any expired key is correct: You link to tickets which aim for a better support for key rotation. I.e. if the data are signed with multiple keys and some of them are expired, but at least one is alive, and its signature is valid, you should return success.

Then I would recommend to place the test data at lease one directory up. Why did you place expired_test directory into to tests/test_data/repo_yum_01/repodata? Your new test and the test data have no relation to tests/test_data/repo_yum_01 content.

Also please run git show --check and remove the trailing white spaces.

@ppisar ppisar self-assigned this Oct 10, 2025
@ppisar
Copy link
Contributor

ppisar commented Oct 10, 2025

Regarding the test failures ("Expired signature should be rejected" test failed), it could be caused by not implementing the check in the rpm implementation. That one is used since Fedora 39.

@fhbash fhbash force-pushed the expired-gpg branch 2 times, most recently from 8840134 to 2c80468 Compare October 13, 2025 20:02
@ppisar
Copy link
Contributor

ppisar commented Oct 14, 2025

Your tests pass with gpgme backend, but fail with RPM one. That needs to be fixed before merging.

Another problem is that RPM backend requires all nonexpired keys/signatures to be valid. While your current gpgme backend requires at least one. I don't find this dichotomy good.

@fhbash
gpgme: Improve handling of expired GPG signatures with key rotation s…
9403c64 
…upport

This change only affects the gpgme implementation of signature verification.
The rpm implementation (gpg_rpm.c) is not modified as it already rejects
expired keys during import.

Changes:
- Implements proper detection and handling of expired GPG keys and signatures
  in the gpgme backend (gpg_gpgme.c)
- Adds support for key rotation: if data is signed with multiple keys and
  at least one valid, non-expired signature exists, verification succeeds
- Only fails verification if ALL signatures are either invalid or expired
- Provides clear error messages distinguishing between expired keys and
  expired signatures
- Adds test case to verify expired signature rejection

type: enhancement
resolves: rpm-software-management#207

Signed-off-by: Fellipe Henrique <[email protected]>
@fhbash fhbash changed the title Introduces a proper handle expired GPG signatures Introduces a proper handle expired GPG signatures for GPGME Oct 20, 2025
@fhbash fhbash changed the title Introduces a proper handle expired GPG signatures for GPGME Introduces a proper handle expired GPG signatures - GPGME backend Oct 20, 2025
@fhbash fhbash mentioned this pull request Oct 20, 2025
Open
@fhbash
Copy link
Contributor Author

fhbash commented Oct 23, 2025

/packit test

@ppisar
Copy link
Contributor

ppisar commented Oct 27, 2025

/packit copr-build

@ppisar ppisar mentioned this pull request Oct 27, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ppisar ppisar Awaiting requested review from ppisar ppisar is a code owner automatically assigned from rpm-software-management/dnf-team

Assignees

@ppisar ppisar

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fhbash @ppisar