[pbs-devel] [PATCH proxmox-backup 6/7] fix #3139: manifest: check fingerprint when loading with key
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 17 18:57:24 CET 2020
otherwise loading will run into the signature mismatch which is
technically true, but not the complete picture in this case.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
src/backup/manifest.rs | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/backup/manifest.rs b/src/backup/manifest.rs
index 5922144d..eb204c96 100644
--- a/src/backup/manifest.rs
+++ b/src/backup/manifest.rs
@@ -265,6 +265,11 @@ impl BackupManifest {
if let Some(ref crypt_config) = crypt_config {
if let Some(signature) = signature {
let expected_signature = proxmox::tools::digest_to_hex(&Self::json_signature(&json, crypt_config)?);
+
+ let fingerprint = &json["unprotected"]["key-fingerprint"];
+ if fingerprint != &Value::Null {
+ BackupManifest::check_fingerprint_value(fingerprint, crypt_config)?;
+ }
if signature != expected_signature {
bail!("wrong signature in manifest");
}
--
2.20.1
More information about the pbs-devel
mailing list