gpg: Ignore all SHA-1 signatures in 3rd party key signatures.
authorWerner Koch <wk@gnupg.org>
Thu, 3 Oct 2019 16:20:59 +0000 (18:20 +0200)
committerWerner Koch <wk@gnupg.org>
Thu, 3 Oct 2019 16:20:59 +0000 (18:20 +0200)
* g10/sig-check.c (check_signature_over_key_or_uid): No cut-off date
and remove debug output.
--

With 2.2 we do not not support SHA-1 key signatures anymore even if
that means that the WoT shrinks.

Signed-off-by: Werner Koch <wk@gnupg.org>
g10/sig-check.c

index 139ad93..3d8ed20 100644 (file)
@@ -1012,16 +1012,12 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
   else if (IS_UID_SIG (sig) || IS_UID_REV (sig))
     {
       log_assert (packet->pkttype == PKT_USER_ID);
-      log_debug ("algo=%d selfsig=%d tm=%lu\n",
-                 sig->digest_algo, *is_selfsig, (unsigned long)sig->timestamp);
-      if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig
-          && sig->timestamp > 1547856000)
+      if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig)
         {
           /* If the signature was created using SHA-1 we consider this
            * signature invalid because it makes it possible to mount a
            * chosen-prefix collision.  We don't do this for
-           * self-signatures or for signatures created before the
-           * somewhat arbitrary cut-off date 2019-01-19.  */
+           * self-signatures, though.  */
           rc = gpg_error (GPG_ERR_DIGEST_ALGO);
         }
       else