You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@whimsical.apache.org by "Sam Ruby (JIRA)" <ji...@apache.org> on 2019/08/01 17:34:00 UTC
[jira] [Commented] (WHIMSY-285) gpg: Can't check signature: No
public key Insecure operation - unlink
[ https://issues.apache.org/jira/browse/WHIMSY-285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16898217#comment-16898217 ]
Sam Ruby commented on WHIMSY-285:
---------------------------------
Based on testing locally, the error occurs on the following line:
[https://github.com/apache/whimsy/blob/e5f07a10444d1a61818c8e0cb3cfb6b0cc377b22/www/secretary/workbench/views/actions/check-signature.json.rb#L78]
So it appears that openuri under certain circumstances creates a temporary file and when it deletes that file it doesn't untaint the path name. Possible solutions are to avoid the use of openuri, or even to back out all of the TEMPORARY HACK (WHIMSY-275) completely.
> gpg: Can't check signature: No public key Insecure operation - unlink
> ---------------------------------------------------------------------
>
> Key: WHIMSY-285
> URL: https://issues.apache.org/jira/browse/WHIMSY-285
> Project: Whimsy
> Issue Type: Bug
> Components: SecMail
> Reporter: Matt Sicker
> Assignee: Craig L Russell
> Priority: Major
>
> See https://whimsy.apache.org/secretary/workbench/201907/1f7c69db9d/ and try to verify the GPG key. Running {{gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys KEY_ID}} locally does find the key (gpg (GnuPG) 2.2.16).
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)