Control: forwarded -1 https://github.com/SecurityInnovation/PGPy/issues/471
Xiyue Deng <manp...@gmail.com> writes: > Hi, > > With much testing, I have identified that this was caused by the change > in gpgme1.0 after upgrading from 1.18.0-6+b1 to 1.23.2-5. More > specifically, gpg.Context.verify (which uses gpgme_op_verify underneath) > now calls "gpg" with "--verify" which caused its behavior to change and > resulted in the test failure in python-pgpy. Specifically, previously > gpg.Context.verify on a signed message will return the original message, > but now it throws an error of GPG_ERR_NO_DATA, or GPG_ERR_BAD_DATA if it > encounters garbage following the clearsigned data. > > More details please see the upstream bug[1] and commit[2] (see also > commit[3] where gpgme turns off a check of GPG_ERR_BAD_DATA due to this > behavior change.) > Correction: commit[3] was actually changing the type of error due to the behavior change and the check was not turned off. > I have tested locally that removing "--verify" from the gpgme invocation > restores the previous behavior and the python-pgpy tests pass. However, > I doubt reverting to previous behavior is something gpgme would want to > do. So the usage of gpg.Context.verify() in python-pgpy tests need to > adapt to the new behavior. > > [1] https://dev.gnupg.org/T6907 > [2] https://dev.gnupg.org/rM1dc44b7c5b9253206af527721212d1f55532a7ee > [3] https://dev.gnupg.org/rMa73a41109fff3b6d3f81fa29d353419ae45f6dda I have now prepared a MR[4] to work around this issue (as well as fixes for Bug#1082248[5]) [4] https://salsa.debian.org/debian/pgpy/-/merge_requests/2 [5] https://bugs.debian.org/1082248 -- Regards, Xiyue Deng
signature.asc
Description: PGP signature
