GitLab

It's hard to add code that makes a previously valid descriptor invalid (as we'd like to do for legacy/trac#7484 (moved) and legacy/trac#9286 (moved)), since doing so can put us in a loop where we download the descriptor, get it, reject it, and download it again.

Instead, we should record that the descriptor with some given hash is simply invalid. That's easy for microdescriptors, but a bit harder for router descriptors, since the hash doesn't include the signature itself. So we need to check the signature in that case before rejecting.