When verifying a signature the valid results are ordered by timestamp. The
CHECKSUM results have a zero timestamp and should have been ordered last.
The sorting callback was wrong, which explains the odd result where we could
downgrade Jcat signatures before we fixed 64ebf9, and nicely explains why we
ignored a timestamp of zero in the first place.
When getting the timestamp, ensure we actually get the newest _signature_ not
just the newest result in case checksums start having timestamps in the future
for some reason. Use new API from libjcat where available, else fall back to
sneaking it out using GObject properties and magic values.
When verifying a signature the valid results are ordered by timestamp. The
CHECKSUM results have a zero timestamp and should have been ordered last.
The sorting callback was wrong, which explains the odd result where we could
downgrade Jcat signatures before we fixed 64ebf9, and nicely explains why we
ignored a timestamp of zero in the first place.
When getting the timestamp, ensure we actually get the newest _signature_ not
just the newest result in case checksums start having timestamps in the future
for some reason. Use new API from libjcat where available, else fall back to
sneaking it out using GObject properties and magic values.
As both hub devices share a FuVliUsbhubDeviceClass instance we cannot 'hijack'
the vfuncs depending on object type. This allows the downstream hub to proxy to
the upstream hub where a GPIOB reset can be performed.
We can have multiple FuVliPdDevice objects registered with the daemon, but they
will all share the FuVliPdDeviceClass instance. If one device requries a
silicon workaround, do not 'hijack' the vfunc for all devices of this type.
This means we do the right thing when updating both the one that requires the
workaround, and the 'normal' one.
One vendor is shipping a cab archive with two metadata files, both referencing
the same GUID. The 'correct' metainfo description is selected using a GUID
'other device' requirement. This works fine when installing, but breaks when
double clicking on the .cab file as both components are valid, and thus get
returned.
In this case, return the component that matches the requirement 'first' so that
it gets chosen by gnome-software as the default.
Although this is something that we have always done on the LVFS, corporate
deployments that resign the firmware or metadata might not be signing the files
in the same way.
Always require a timestamp to prevent allowing an inadvertent rollback attack.
If a detached signature is actually a PGP message, gpgme_op_verify() returns
the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
builds an empty list.
Explicitly check for no signatures present to avoid returning a FuKeyringResult
with no timestamp and an empty authority.
Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
coordinated disclosure of this issue. Fixes CVE-2020-10759
