1 files changed, 29 insertions, 0 deletions

diff --git a/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch b/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
new file mode 100644
index 0000000..6a0e778
--- /dev/null
+++ b/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
@@ -0,0 +1,29 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sun, 30 Jun 2019 11:54:35 -0400
+Subject: dirmngr: Only use SKS pool CA for SKS pool
+
+* dirmngr/http.c (http_session_new): when checking whether the
+keyserver is the HKPS pool, check specifically against the pool name,
+as ./configure might have been used to select a different default
+keyserver.  It makes no sense to apply Kristian's certificate
+authority to anything other than the literal host
+hkps.pool.sks-keyservers.net.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/http.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 5e3f17c..40160e0 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -768,7 +768,7 @@ http_session_new (http_session_t *r_session,
+ 
+     is_hkps_pool = (intended_hostname
+                     && !ascii_strcasecmp (intended_hostname,
+-                                          get_default_keyserver (1)));
++                                          "hkps.pool.sks-keyservers.net"));
+ 
+     /* If we are looking for the hkps pool from sks-keyservers.net,
+      * then forcefully use its dedicated certificate authority.  */