On 8/23/25 20:52, Salvatore Bonaccorso wrote:
Hi Yadd,
On Sat, Aug 23, 2025 at 02:41:55PM +0200, Yadd wrote:
Control: tags -1 + help
Hi,
I tried to build a test to reproduce CVE-2025-8454 but for now I didn't
succeed: uscan checked signatures. Can someone help here ?
The MR is https://salsa.debian.org/debian/devscripts/-/merge_requests/552
how about putting a 'fake' (i.e. simulating the previous run which had
either an error or did now verify the signature, because e.g. sequoia
was used, and upstream still relies on SHA1 signatures), in that
location then re-run uscan as described, so mostly replicating what
Uwe did in https://bugs.debian.org/1109251#5 (note it is not a sopv
problem here).
"uscan warn: File already downloaded, skipping OpenPGP verification"
is not enough in this case when --skip-signature is not passed.
Does this help for developing a testcase?
Regards,
Salvatore
This warning is only for git-tags signature. If we want to verify
git-tag signature in this case, this means that we need to ignore
previously downloaded files
