Fix: Remove too strict signature verification; turns out it does not work when using subkeys for signing.

This commit is contained in:
s3lph 2021-10-19 02:48:35 +02:00
parent daee1654d3
commit ebaac40ac2

View file

@ -7,7 +7,7 @@ from email.mime.application import MIMEApplication
from email.mime.text import MIMEText from email.mime.text import MIMEText
from pgpy import PGPKey, PGPMessage, PGPUID from pgpy import PGPKey, PGPMessage, PGPUID
from pgpy.types import SignatureVerification from pgpy.errors import PGPError
from .crypto import pgp_sign from .crypto import pgp_sign
from .config import Config, render_message from .config import Config, render_message
@ -144,11 +144,12 @@ class ConfirmationResponse:
uid: PGPUID = key.get_uid(self._submitter_addr) uid: PGPUID = key.get_uid(self._submitter_addr)
if uid is None or uid.email != self._submitter_addr: if uid is None or uid.email != self._submitter_addr:
raise EasyWksError(f'UID {self._submitter_addr} not found in PGP key') raise EasyWksError(f'UID {self._submitter_addr} not found in PGP key')
verification: SignatureVerification = key.verify(self._msg) try:
for verified, by, sig, subject in verification.good_signatures: # Should raise an error when verification fails, but add the boolean check as a additional protection
if fingerprint(key) == fingerprint(by): if not key.verify(self._msg):
return raise EasyWksError(f'PGP signature could not be verified')
raise EasyWksError('PGP signature could not be verified') except PGPError as e:
raise EasyWksError(f'PGP signature could not be verified: {e}')
class PublishResponse: class PublishResponse: