Fix: Remove too strict signature verification; turns out it does not work when using subkeys for signing.

2021-10-19 02:48:35 +02:00 · 2021-10-19 02:48:35 +02:00 · ebaac40ac2
commit ebaac40ac2
parent daee1654d3
1 changed files with 7 additions and 6 deletions
--- a/easywks/types.py
+++ b/easywks/types.py
@ -7,7 +7,7 @@ from email.mime.application import MIMEApplication
 from email.mime.text import MIMEText

 from pgpy import PGPKey, PGPMessage, PGPUID
-from pgpy.types import SignatureVerification
+from pgpy.errors import PGPError

 from .crypto import pgp_sign
 from .config import Config, render_message
@ -144,11 +144,12 @@ class ConfirmationResponse:
        uid: PGPUID = key.get_uid(self._submitter_addr)
        if uid is None or uid.email != self._submitter_addr:
            raise EasyWksError(f'UID {self._submitter_addr} not found in PGP key')
-        verification: SignatureVerification = key.verify(self._msg)
-        for verified, by, sig, subject in verification.good_signatures:
-            if fingerprint(key) == fingerprint(by):
-                return
-        raise EasyWksError('PGP signature could not be verified')
+        try:
+            # Should raise an error when verification fails, but add the boolean check as a additional protection
+            if not key.verify(self._msg):
+                raise EasyWksError(f'PGP signature could not be verified')
+        except PGPError as e:
+            raise EasyWksError(f'PGP signature could not be verified: {e}')


 class PublishResponse: