Two fixes related to the check that a key has another signature on it.
Firstly, if any of the UIDs has a signature from another key then allow
all of them. Otherwise it's not possible to add a new UID to an existing
key. Our primary concern is that the key is linked into the WoT, rather
than policing individual UIDs.
Secondly, if a key is already present in the backend database then don't
perform the other signature check. If we've added to the backend and all
of the cross signatures are removed then it would be no longer possible
to update the key, which isn't what we want. If we've trusted it at some
point and added it then we should allow verifiable updates, even if
there are no valid cross signatures left.
projects / onak.git / commit