New upstream version 1.8.0

author: Andrej Shadura <andrewsh@debian.org> 2020-01-09 16:17:03 +0100
committer: Andrej Shadura <andrewsh@debian.org> 2020-01-09 16:17:03 +0100
commit: 28d0d5b4c00c61f6a09c518d84b255749d183636 (patch)
tree: 7505dd34adf06f0a2486de690b2bf163caecd9e4 /synapse/crypto/keyring.py
parent: b532109d6f548f1aeb4c547919ebfa4a9bed6556 (diff)
1 files changed, 7 insertions, 6 deletions
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
index 7cfad192..6fe5a6a2 100644
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@@ -511,17 +511,18 @@ class BaseV2KeyFetcher(object):
         server_name = response_json["server_name"]
         verified = False
         for key_id in response_json["signatures"].get(server_name, {}):
-            # each of the keys used for the signature must be present in the response
-            # json.
             key = verify_keys.get(key_id)
             if not key:
-                raise KeyLookupError(
-                    "Key response is signed by key id %s:%s but that key is not "
-                    "present in the response" % (server_name, key_id)
-                )
+                # the key may not be present in verify_keys if:
+                #  * we got the key from the notary server, and:
+                #  * the key belongs to the notary server, and:
+                #  * the notary server is using a different key to sign notary
+                #    responses.
+                continue
 
             verify_signed_json(response_json, server_name, key.verify_key)
             verified = True
+            break
 
         if not verified:
             raise KeyLookupError(
author	Andrej Shadura <andrewsh@debian.org>	2020-01-09 16:17:03 +0100
committer	Andrej Shadura <andrewsh@debian.org>	2020-01-09 16:17:03 +0100
commit	28d0d5b4c00c61f6a09c518d84b255749d183636 (patch)
tree	7505dd34adf06f0a2486de690b2bf163caecd9e4 /synapse/crypto/keyring.py
parent	b532109d6f548f1aeb4c547919ebfa4a9bed6556 (diff)