summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKonstantin Ryabitsev <konstantin@linuxfoundation.org>2021-05-26 10:01:22 -0400
committerKonstantin Ryabitsev <konstantin@linuxfoundation.org>2021-05-26 10:01:22 -0400
commitc6a1199dcd65fdf2eb1c49295bfcc02932b5ae75 (patch)
tree031c3cb3301f1218be0336f7a602b906ad940a3c
parent59c5614e36a343e57326e6190ee33e871f6052ad (diff)
downloadb4-c6a1199dcd65fdf2eb1c49295bfcc02932b5ae75.tar.gz
Check uids on the key when using default keyring
When the signature is validated using the default keyring, run an additional check on the UIDs and show the discrepancy if the identity used in the X-Developer-Signature header is different from the UIDs we have on the key. Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
-rw-r--r--b4/__init__.py17
m---------patatt0
2 files changed, 15 insertions, 2 deletions
diff --git a/b4/__init__.py b/b4/__init__.py
index c39a905..3906291 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -1067,9 +1067,22 @@ class LoreMessage:
logger.debug('Loading patatt attestations with sources=%s', str(sources))
attestations = patatt.validate_message(self.msg.as_bytes(), sources)
- for passing, identity, signtime, keysrc, keyalgo, errors in attestations:
+ for result, identity, signtime, keysrc, keyalgo, errors in attestations:
+ if keysrc and keysrc.startswith('(default keyring)/'):
+ fpr = keysrc.split('/', 1)[1]
+ uids = get_gpg_uids(fpr)
+ idmatch = False
+ for uid in uids:
+ if uid.find(identity) >= 0:
+ idmatch = True
+ break
+ if not idmatch:
+ # Take the first identity in the list and use that instead
+ parts = email.utils.parseaddr(uids[0])
+ identity = parts[1]
+
signdt = LoreAttestor.parse_ts(signtime)
- attestor = LoreAttestorPatatt(passing, identity, signdt, keysrc, keyalgo, errors)
+ attestor = LoreAttestorPatatt(result, identity, signdt, keysrc, keyalgo, errors)
self._attestors.append(attestor)
def get_attestation_trailers(self, attpolicy: str, maxdays: int = 0) -> Tuple[str, list, bool]:
diff --git a/patatt b/patatt
-Subproject 3ed3c997942b4af55e6b35df0269f129ba00d9c
+Subproject 6c25d3f80e00610daa93915e869c94f661079e8