[pkg-gnupg-maint] Bug#978630: Bug#978630: gnupg: --check-sigs trusts weak digest alg if weak digest was trusted when importing key

Ansgar ansgar at 43-1.org
Tue Dec 29 14:55:18 GMT 2020

On Tue, 2020-12-29 at 15:36 +0100, Werner Koch wrote:
> gpg caches key signature verification results.  Use --no-sig-cache to
> disable this cache.

But only sometimes?  As said in my follow-up for the key imported via
`--recv-keys` the verification status of `--check-sigs` changes as
expected when I also pass `--allow-weak-digest-algos`; I can call
`--check-sigs` with and without `--allow-weak-digest-algos` as many
times as I want and the result still changes.  So neither
`--recv-keys` nor `--check-sigs` seems to update the cache.

There seems to be only a cached signature when I import the key via


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20201229/8018f97c/attachment.sig>

More information about the pkg-gnupg-maint mailing list