[PATCH] validation: Report lack of signature

* [PATCH] validation: Report lack of signature
@ 2021-10-02  2:57 Kees Cook
  2021-10-04 20:41 ` Konstantin Ryabitsev
  0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2021-10-02  2:57 UTC (permalink / raw)
  To: Konstantin Ryabitsev; +Cc: Kees Cook, tools

If we're trying to cryptographically validate a message, not having a
signature is not a success (exit 0). Use a specific return code for this
condition and report it.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 patatt/__init__.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/patatt/__init__.py b/patatt/__init__.py
index 41b7dfda6b75..5d880bcf32b1 100644
--- a/patatt/__init__.py
+++ b/patatt/__init__.py
@@ -36,6 +36,7 @@ DEVKEY_HDR = b'X-Developer-Key'
 
 # Result and severity levels
 RES_VALID = 0
+RES_NOSIG = 4
 RES_NOKEY = 8
 RES_ERROR = 16
 RES_BADSIG = 32
@@ -919,6 +920,7 @@ def validate_message(msgdata: bytes, sources: list, trim_body: bool = False) ->
     pm = PatattMessage(msgdata)
     if not pm.signed:
         logger.debug('message is not signed')
+        attestations.append((RES_NOSIG, None, None, None, None, ['no signatures found']))
         return attestations
 
     # Find all identities for which we have public keys
@@ -1019,6 +1021,10 @@ def cmd_validate(cmdargs, config: dict):
                         logger.info('       | key: %s', keysrc)
                     else:
                         logger.info('       | key: default GnuPG keyring')
+                elif result <= RES_NOSIG:
+                    logger.critical(' NOSIG | %s', fn)
+                    for error in errors:
+                        logger.critical('       | %s', error)
                 elif result <= RES_NOKEY:
                     logger.critical(' NOKEY | %s, %s', identity, fn)
                     for error in errors:
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread