[pacman-dev] [PATCH v2] signing.c: warn if time went backwards

Florian Pritz bluewind at xinu.at
Mon Jul 9 04:31:22 EDT 2012


GPG signatures have a timestamp which is checked and if it's in the
future, verification will fail.

Signed-off-by: Florian Pritz <bluewind at xinu.at>
---
Way simpler than the last version, but I'm not sure if this is the
appropriate place or if we should use the status variable to tell the
front end about the failure and handle it there.

 lib/libalpm/signing.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
index 1e41716..f39e037 100644
--- a/lib/libalpm/signing.c
+++ b/lib/libalpm/signing.c
@@ -530,6 +530,10 @@ int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path,
 				string_validity(gpgsig->validity),
 				gpgme_strerror(gpgsig->validity_reason));
 
+		if(gpgsig->timestamp > time(NULL)) {
+			_alpm_log(handle, ALPM_LOG_WARNING, _("System time is behind signature timestamp. Verification will fail.\n"));
+		}
+
 		result = siglist->results + sigcount;
 		err = gpgme_get_key(ctx, gpgsig->fpr, &key, 0);
 		if(gpg_err_code(err) == GPG_ERR_EOF) {
-- 
1.7.11.1


More information about the pacman-dev mailing list