GPG signatures have a timestamp which is checked and if it's in the
future, verification will fail.
Signed-off-by: Florian Pritz
---
Way simpler than the last version, but I'm not sure if this is the
appropriate place or if we should use the status variable to tell the
front end about the failure and handle it there.
lib/libalpm/signing.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
index 1e41716..f39e037 100644
--- a/lib/libalpm/signing.c
+++ b/lib/libalpm/signing.c
@@ -530,6 +530,10 @@ int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path,
string_validity(gpgsig->validity),
gpgme_strerror(gpgsig->validity_reason));
+ if(gpgsig->timestamp > time(NULL)) {
+ _alpm_log(handle, ALPM_LOG_WARNING, _("System time is behind signature timestamp. Verification will fail.\n"));
+ }
+
result = siglist->results + sigcount;
err = gpgme_get_key(ctx, gpgsig->fpr, &key, 0);
if(gpg_err_code(err) == GPG_ERR_EOF) {
--
1.7.11.1