search

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
42 stars 25 forks source link

OpenPGP verification fails #290

Closed tschmidtb51 closed 2 years ago

tschmidtb51 commented 2 years ago

Currently, an OpenPGP verification fails if two OpenPGP keys are listed in the provider-metadata.json and the file was signed with the first one listed.

Tested with v0.9.6 csaf_checker and csaf_downloader; csaf_aggregator might be affected as well.

bernhardreiter commented 2 years ago

Turns out, the test signature was using a SHA1 hash and https://github.com/ProtonMail/gopenpgp/blob/main/crypto/signature.go#L20 does not allow this hash anymore.

This is fine because BSI's BSI TR-02102-1 2022-01 also does not recommend SHA1.