)]}'
{
  "commit": "a511e1af8b12f44c6e55786c463c9f093c214fb6",
  "tree": "68451cc38ab74ac81f11825a407008c01918147b",
  "parents": [
    "99716b7cae8263e1c7e7c1987e95d8f67071ab3e"
  ],
  "author": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Wed Apr 06 16:14:26 2016 +0100"
  },
  "committer": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Mon Apr 11 22:43:43 2016 +0100"
  },
  "message": "KEYS: Move the point of trust determination to __key_link()\n\nMove the point at which a key is determined to be trustworthy to\n__key_link() so that we use the contents of the keyring being linked in to\nto determine whether the key being linked in is trusted or not.\n\nWhat is \u0027trusted\u0027 then becomes a matter of what\u0027s in the keyring.\n\nCurrently, the test is done when the key is parsed, but given that at that\npoint we can only sensibly refer to the contents of the system trusted\nkeyring, we can only use that as the basis for working out the\ntrustworthiness of a new key.\n\nWith this change, a trusted keyring is a set of keys that once the\ntrusted-only flag is set cannot be added to except by verification through\none of the contained keys.\n\nFurther, adding a key into a trusted keyring, whilst it might grant\ntrustworthiness in the context of that keyring, does not automatically\ngrant trustworthiness in the context of a second keyring to which it could\nbe secondarily linked.\n\nTo accomplish this, the authentication data associated with the key source\nmust now be retained.  For an X.509 cert, this means the contents of the\nAuthorityKeyIdentifier and the signature data.\n\n\nIf system keyrings are disabled then restrict_link_by_builtin_trusted()\nresolves to restrict_link_reject().  The integrity digital signature code\nstill works correctly with this as it was previously using\nKEY_FLAG_TRUSTED_ONLY, which doesn\u0027t permit anything to be added if there\nis no system keyring against which trust can be determined.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "417d658828708e0ffc2a4fd6d36fedb9dcedb067",
      "old_mode": 33188,
      "old_path": "certs/system_keyring.c",
      "new_id": "4e2fa8ab01d651c8d177a2f33dcdda22a03e805a",
      "new_mode": 33188,
      "new_path": "certs/system_keyring.c"
    },
    {
      "type": "modify",
      "old_id": "b4c10f2f503408b1a0c29d38b748585b4d498d81",
      "old_mode": 33188,
      "old_path": "crypto/asymmetric_keys/restrict.c",
      "new_id": "ac4bddf669de2195bce0864a28308031602245da",
      "new_mode": 33188,
      "new_path": "crypto/asymmetric_keys/restrict.c"
    },
    {
      "type": "modify",
      "old_id": "7a802b09a5095c45aa0f5ce96344edd0dc2fd5da",
      "old_mode": 33188,
      "old_path": "crypto/asymmetric_keys/x509_parser.h",
      "new_id": "05eef1c68881b9214af04857be0803aaf44c02cc",
      "new_mode": 33188,
      "new_path": "crypto/asymmetric_keys/x509_parser.h"
    },
    {
      "type": "modify",
      "old_id": "6d7f42f0de9a136d163e54991ea7383540613e61",
      "old_mode": 33188,
      "old_path": "crypto/asymmetric_keys/x509_public_key.c",
      "new_id": "fb732296cd36437950e9228baaecce4373a329eb",
      "new_mode": 33188,
      "new_path": "crypto/asymmetric_keys/x509_public_key.c"
    },
    {
      "type": "modify",
      "old_id": "96ef27b8dd416e6148cac8211d646242db1ccbbc",
      "old_mode": 33188,
      "old_path": "include/crypto/public_key.h",
      "new_id": "882ca0e1e7a5967e1dde952c8e5ecdf616b0f2fd",
      "new_mode": 33188,
      "new_path": "include/crypto/public_key.h"
    },
    {
      "type": "modify",
      "old_id": "b2d645ac35a04c0eaabdd3636b2f22d81c1185aa",
      "old_mode": 33188,
      "old_path": "include/keys/system_keyring.h",
      "new_id": "93715913a0b1dcddd63d6188d0ae1930031431cb",
      "new_mode": 33188,
      "new_path": "include/keys/system_keyring.h"
    },
    {
      "type": "modify",
      "old_id": "6a64e03b9f44357eae722b22036c7294ab072de6",
      "old_mode": 33188,
      "old_path": "kernel/module_signing.c",
      "new_id": "937c844bee4af8b17d2780bf69203ce381a434cd",
      "new_mode": 33188,
      "new_path": "kernel/module_signing.c"
    },
    {
      "type": "modify",
      "old_id": "659566c2200b2f93fd07fe990c57f8c8fd0f1fec",
      "old_mode": 33188,
      "old_path": "security/integrity/digsig.c",
      "new_id": "d647178c6bbde23919ecefea4999d539c8d6f45e",
      "new_mode": 33188,
      "new_path": "security/integrity/digsig.c"
    },
    {
      "type": "modify",
      "old_id": "ef91248cb9347d755a6da62acc042feb29e0c30c",
      "old_mode": 33188,
      "old_path": "security/integrity/ima/ima_mok.c",
      "new_id": "2988726d30d6ca8c5e1ccfb1bc738156d1be0e17",
      "new_mode": 33188,
      "new_path": "security/integrity/ima/ima_mok.c"
    }
  ]
}