From: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
To: signatures@kernel.org
Subject: [PATCH 5/5] Throw a NoKeyError when no matching PGP key
Date: Thu, 3 Jun 2021 13:18:15 -0400 [thread overview]
Message-ID: <d37d358c9ddd4d0972fbcd392ce26df852767948.1622740672.git.konstantin.ryabitsev@linux.dev> (raw)
In-Reply-To: <7754d7d35d03b462109c4a93d625f0af21383312.1622740672.git.konstantin.ryabitsev@linux.dev>
Fix a problem where we incorrectly reported a missing public key for a
failing signature for the cases when the public key is in the default
keyring.
Signed-off-by: Konstantin Ryabitsev <konstantin.ryabitsev@linux.dev>
---
patatt/__init__.py | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/patatt/__init__.py b/patatt/__init__.py
index b4018ab..f5e0fd9 100644
--- a/patatt/__init__.py
+++ b/patatt/__init__.py
@@ -47,7 +47,7 @@ OPT_HDRS = [b'message-id']
KEYCACHE = dict()
# My version
-__VERSION__ = '0.4.4'
+__VERSION__ = '0.4.5-dev'
MAX_SUPPORTED_FORMAT_VERSION = 1
@@ -69,6 +69,12 @@ class ValidationError(Exception):
self.errors = errors
+class NoKeyError(ValidationError):
+ def __init__(self, message: str, errors: Optional[list] = None):
+ super().__init__(message)
+ self.errors = errors
+
+
class BodyValidationError(ValidationError):
def __init__(self, message: str, errors: Optional[list] = None):
super().__init__(message, errors)
@@ -346,6 +352,8 @@ class DevsigHeader:
ecode, out, err = gpg_run_command(vrfyargs, stdin=bsigdata)
if ecode > 0:
+ if err.find(b'[GNUPG:] NO_PUBKEY '):
+ raise NoKeyError('No matching key found')
raise ValidationError('Failed to validate PGP signature')
good, valid, trusted, signkey, signtime = DevsigHeader._check_gpg_status(err)
@@ -952,12 +960,14 @@ def validate_message(msgdata: bytes, sources: list, trim_body: bool = False) ->
attestations.append((RES_VALID, i, signtime, keysrc, algo, errors))
except ValidationError:
if keysrc is None:
- # Not in default keyring
- errors.append('%s/%s no matching openpgp key found' % (i, s))
- attestations.append((RES_NOKEY, i, t, None, algo, errors))
- continue
- errors.append('failed to validate using %s' % keysrc)
+ errors.append('failed to validate using default keyring')
+ else:
+ errors.append('failed to validate using %s' % keysrc)
attestations.append((RES_BADSIG, i, t, keysrc, algo, errors))
+ except NoKeyError:
+ # Not in default keyring
+ errors.append('%s/%s no matching openpgp key found' % (i, s))
+ attestations.append((RES_NOKEY, i, t, None, algo, errors))
return attestations
--
2.31.1
prev parent reply other threads:[~2021-06-03 17:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 17:18 [PATCH 1/5] Fix lookups for uncommitted keys Konstantin Ryabitsev
2021-06-03 17:18 ` [PATCH 2/5] Add "frequently seen commentary" Konstantin Ryabitsev
2021-06-03 17:18 ` [PATCH 3/5] Handle MIME encoded-word & other header manglings Konstantin Ryabitsev
2021-06-03 17:18 ` [PATCH 4/5] Make instructions for automatic signing more reliable Konstantin Ryabitsev
2021-06-03 17:18 ` Konstantin Ryabitsev [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d37d358c9ddd4d0972fbcd392ce26df852767948.1622740672.git.konstantin.ryabitsev@linux.dev \
--to=konstantin.ryabitsev@linux.dev \
--cc=signatures@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).