Bug#723763: monkeysign should not sign revoked uids

[Jerome Charaoui]

tags patch
thanks

Please review the attached patches fixing the two issues mentioned in
this thread:

* Remove revoked uids from keys before processing
* Refuse to sign on a revoked primary key

Thanks!

-- Jerome

From a78ebe82bd16f228f1649790f03e0f91e66cbf2c Mon Sep 17 00:00:00 2001
From: Jerome Charaoui <jer...@riseup.net>
Date: Tue, 19 Jul 2016 16:38:47 -0400
Subject: [PATCH 2/2] Refuse to sign a revoked primary key.

---
 monkeysign/ui.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/monkeysign/ui.py b/monkeysign/ui.py
index 6b34eb9..1289bcd 100644
--- a/monkeysign/ui.py
+++ b/monkeysign/ui.py
@@ -292,6 +292,9 @@ work.
         self.log(_('found %d keys matching your request') % len(keys))
 
         for key in keys:
+            if keys[key].trust == 'r':
+                self.log(_('not signing revoked key %s') % keys[key].keyid())
+                continue
             alluids = self.yes_no(_("""\
 Signing the following key
 
-- 
2.8.1


From a94a87e8a99b95b158dc4557ab74118d0e4b2072 Mon Sep 17 00:00:00 2001
From: Jerome Charaoui <jer...@riseup.net>
Date: Tue, 19 Jul 2016 15:12:55 -0400
Subject: [PATCH 1/2] Always delete revoked UIDs (closes #723763)

Finds and deletes all revoked UIDs after finding
a public key.
---
 monkeysign/gpg.py |  2 +-
 monkeysign/ui.py  | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/monkeysign/gpg.py b/monkeysign/gpg.py
index 456cf3b..1350ed6 100644
--- a/monkeysign/gpg.py
+++ b/monkeysign/gpg.py
@@ -434,7 +434,7 @@ class Keyring():
         # end of copy-paste from sign_key()
         self.context.write(proc.stdin, 'deluid')
         self.context.expect(proc.stderr, 'GOT_IT')
-        self.context.expect(proc.stderr, 'GET_BOOL keyedit.remove.uid.okay')
+        self.context.expect(proc.stderr, r'GET_LINE keyedit.prompt|GET_BOOL keyedit.remove.uid.okay')
         self.context.write(proc.stdin, 'y')
         self.context.expect(proc.stderr, 'GOT_IT')
         self.context.expect(proc.stderr, 'GET_LINE keyedit.prompt')
diff --git a/monkeysign/ui.py b/monkeysign/ui.py
index c9b6a30..6b34eb9 100644
--- a/monkeysign/ui.py
+++ b/monkeysign/ui.py
@@ -243,6 +243,19 @@ this should not interrupt the flow of the program, but must be visible to the us
             if not self.tmpkeyring.fetch_keys(self.pattern):
                 self.abort(_('could not find key %s in your keyring or keyservers') % self.pattern)
 
+        """we should never sign a revoked UID"""
+        self.del_revoked_uids()
+
+    def del_revoked_uids(self):
+        """this will remove all revoked UIDs"""
+        for fpr, key in self.tmpkeyring.get_keys().iteritems():
+            todelete = []
+            for uid in key.uids.values():
+                if uid.trust == 'r':
+                    todelete.append(uid.uid)
+            for uid in todelete:
+                self.tmpkeyring.del_uid(fpr, uid)
+
     def copy_secrets(self):
         """import secret keys (but only the public part) from your keyring
 
-- 
2.8.1

signature.asc
Description: OpenPGP digital signature