data/fwupd.conf | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 1/5] use a cname to redirect to the correct cdn for metadata

src/fu-main.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 2/5] do not abort startup if the xml metadata file is invalid

data/pki/GPG-KEY-Linux-Foundation-Firmware | 37 37 + 0 - 0 !
data/pki/GPG-KEY-Linux-Foundation-Metadata | 37 37 + 0 - 0 !
data/pki/Makefile.am | 2 2 + 0 - 0 !
3 files changed, 76 insertions(+)

 [patch 3/5] add the linux foundation public gpg keys for firmware and
 metadata

In the future the Linux Foundation will be running the LVFS server.

To make this possible, include the Linux Foundation public keys by default as
we already trust them. Obviously the keys need to be available long before
vendors move, so nobody should get too worried at this point.

src/fu-main.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 4/5] raise the metadata limit to 10mb

It's taken 3 years to get from 20kB to 1Mb, and so it'll take longer than Ubuntu
16.04 is supported to grow an order of magnitude bigger. Plus, if we have 10Mb
of XML we probably need to rethink the metadata format a bit...

src/fu-keyring.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch 5/5] validate that gpgme_op_verify_result() returned at least
 one signature

If a detached signature is actually a PGP message, gpgme_op_verify() returns
the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
builds an empty list.

Explicitly check for no signatures present to avoid returning success in this
case.

Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
coordinated disclosure of this issue. Fixes CVE-2020-10759