From ad12a309987683f89d7e6ac70defbc38b9d44c81 Mon Sep 17 00:00:00 2001
From: Christoph Goehre <chris@sigxcpu.org>
Date: Thu, 23 Nov 2023 16:00:43 +0000
Subject: Check GPG keyrings for read access before using them.

Otherwise gpgv will reject files with a valid signature when the keyring
is not readable.

Closes: #1027263
---
 minidinstall/DebianSigVerifier.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/minidinstall/DebianSigVerifier.py b/minidinstall/DebianSigVerifier.py
index 17a6ec2..18082d1 100644
--- a/minidinstall/DebianSigVerifier.py
+++ b/minidinstall/DebianSigVerifier.py
@@ -23,6 +23,7 @@ from .GPGSigVerifier import *
 
 class DebianSigVerifier(GPGSigVerifier):
     _dpkg_ring = '/etc/dpkg/local-keyring.gpg'
+    keyrings_r_ok = []
 
     def __init__(self, keyrings=None, extra_keyrings=None):
         if not keyrings:
@@ -31,6 +32,9 @@ class DebianSigVerifier(GPGSigVerifier):
             keyrings.append(self._dpkg_ring)
         if extra_keyrings:
             keyrings.extend(extra_keyrings)
-        GPGSigVerifier.__init__(self, keyrings)
+        for keyring in keyrings:
+            if os.access(keyring, os.R_OK):
+                self.keyrings_r_ok.append(keyring)
+        GPGSigVerifier.__init__(self, self.keyrings_r_ok)
 
 # vim:ts=4:sw=4:et:
-- 
cgit v1.2.3