From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Retry asymmetric key search in restrict_link_by_signature() to support the case of partial IDs, provided by PGP signatures (only the last 8 bytes). Although RFC 9580 supports the signature subpacket type 33, which contains the full issuer fingerprint, we cannot rely on existing signatures to support it. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> --- crypto/asymmetric_keys/restrict.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index afcd4d101ac5..dd3d4b3405f7 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -97,8 +97,14 @@ int restrict_link_by_signature(struct key *dest_keyring, key = find_asymmetric_key(trust_keyring, sig->auth_ids[0], sig->auth_ids[1], sig->auth_ids[2], false); - if (IS_ERR(key)) - return -ENOKEY; + if (IS_ERR(key)) { + /* Retry with a partial ID. */ + key = find_asymmetric_key(trust_keyring, + sig->auth_ids[0], sig->auth_ids[1], + sig->auth_ids[2], true); + if (IS_ERR(key)) + return -ENOKEY; + } if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) ret = -ENOKEY; -- 2.34.1