Fix: Remove too strict signature verification; turns out it does not work when using subkeys for signing.
This commit is contained in:
parent
daee1654d3
commit
ebaac40ac2
1 changed files with 7 additions and 6 deletions
|
@ -7,7 +7,7 @@ from email.mime.application import MIMEApplication
|
||||||
from email.mime.text import MIMEText
|
from email.mime.text import MIMEText
|
||||||
|
|
||||||
from pgpy import PGPKey, PGPMessage, PGPUID
|
from pgpy import PGPKey, PGPMessage, PGPUID
|
||||||
from pgpy.types import SignatureVerification
|
from pgpy.errors import PGPError
|
||||||
|
|
||||||
from .crypto import pgp_sign
|
from .crypto import pgp_sign
|
||||||
from .config import Config, render_message
|
from .config import Config, render_message
|
||||||
|
@ -144,11 +144,12 @@ class ConfirmationResponse:
|
||||||
uid: PGPUID = key.get_uid(self._submitter_addr)
|
uid: PGPUID = key.get_uid(self._submitter_addr)
|
||||||
if uid is None or uid.email != self._submitter_addr:
|
if uid is None or uid.email != self._submitter_addr:
|
||||||
raise EasyWksError(f'UID {self._submitter_addr} not found in PGP key')
|
raise EasyWksError(f'UID {self._submitter_addr} not found in PGP key')
|
||||||
verification: SignatureVerification = key.verify(self._msg)
|
try:
|
||||||
for verified, by, sig, subject in verification.good_signatures:
|
# Should raise an error when verification fails, but add the boolean check as a additional protection
|
||||||
if fingerprint(key) == fingerprint(by):
|
if not key.verify(self._msg):
|
||||||
return
|
raise EasyWksError(f'PGP signature could not be verified')
|
||||||
raise EasyWksError('PGP signature could not be verified')
|
except PGPError as e:
|
||||||
|
raise EasyWksError(f'PGP signature could not be verified: {e}')
|
||||||
|
|
||||||
|
|
||||||
class PublishResponse:
|
class PublishResponse:
|
||||||
|
|
Loading…
Reference in a new issue