Mind expiry date when looking for sig for subkey

keybase / go-crypto

[mirror] Go supplementary cryptography libraries

https://godoc.org/golang.org/x/crypto

BSD 3-Clause "New" or "Revised" License

50 stars 20 forks source link

Mind expiry date when looking for sig for subkey #50

Closed zapu closed 7 years ago

zapu commented 7 years ago

When parsing keys, take the signature with furthest expiration date, instead of the first signature that comes along.

Fixes: https://github.com/keybase/keybase-issues/issues/2604 Internal ticket: CORE-3879

@oconnor663 Please review, thank you!

zapu commented 7 years ago

But can also wait for @maxtaco , no problem!

maxtaco commented 7 years ago

Great work! 👍

smurfix commented 7 years ago

Thanks a lot! However: If the signature you find isn't even valid currently, you still have a problem.

zapu commented 7 years ago

I think the signatures are checked beforehand (err = e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig), line 594) so if it happens that there is a signature that extends further in time but is invalid, it will not "win".

zapu commented 7 years ago

Also thank you for your patience! It will probably take a few days before client's dependency is updated and a new version is released.