proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-05-19 12:17:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Always enforce the metadata signature has a valid timestamp

Browse Source 
Although this is something that we have always done on the LVFS, corporate
deployments that resign the firmware or metadata might not be signing the files
in the same way.

Always require a timestamp to prevent allowing an inadvertent rollback attack.
This commit is contained in:
Richard Hughes 2020-05-29 07:51:38 +01:00
parent a22310374e
commit 64ebf91124
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/fu-engine.c
View File

@ -3175,8 +3175,14 @@ fu_engine_validate_result_timestamp (JcatResult *jcat_result,
g_return_val_if_fail (JCAT_IS_RESULT (jcat_result), FALSE);
g_return_val_if_fail (JCAT_IS_RESULT (jcat_result_old), FALSE);
if (jcat_result_get_timestamp (jcat_result) > 0 &&
jcat_result_get_timestamp (jcat_result_old) > 0) {
if (jcat_result_get_timestamp (jcat_result) == 0) {
g_set_error (error,
FWUPD_ERROR,
FWUPD_ERROR_INVALID_FILE,
"no signing timestamp");
return FALSE;
}
if (jcat_result_get_timestamp (jcat_result_old) > 0) {
delta = jcat_result_get_timestamp (jcat_result) -
jcat_result_get_timestamp (jcat_result_old);
}