Update to github.com/mtrmac/gpgme v0.1.2

This "fixes" CVE-2020-8945 by incorporating proglottis/gpgme#23 . The code is not actually used, for two reasons: - Nothing in this repository invokes signature verification (the subpackage is only used to generate contents of policy.json) - Builds use the 'containers_image_openpgp' build tag, which switches to the non-gpgme signature backend. This updates the vendored code anyway - to avoid false positives when scanning for vulnerabilities - so that we don't have to worry about any future changes in this repository enabling those code paths. Performed by updating Gopgg.tompl and $ dep ensure Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac · Jun 20, 2020 · 899f4da · 899f4da
1 parent 204f564
commit 899f4da
Show file tree

Hide file tree

Showing 8 changed files with 360 additions and 80 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -173,6 +173,10 @@ required = [
   name = "github.com/InVisionApp/go-health"
   version = "2.1.0"
 
+[[override]]
+  name = "github.com/mtrmac/gpgme"
+  version = "v0.1.2"
+
 [[constraint]]
   name = "github.com/joho/godotenv"
   version = "1.3.0"
diff --git a/vendor/github.com/mtrmac/gpgme/data.go b/vendor/github.com/mtrmac/gpgme/data.go
diff --git a/vendor/github.com/mtrmac/gpgme/go_gpgme.c b/vendor/github.com/mtrmac/gpgme/go_gpgme.c
diff --git a/vendor/github.com/mtrmac/gpgme/go_gpgme.h b/vendor/github.com/mtrmac/gpgme/go_gpgme.h