diff options
author | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-05-26 10:01:22 -0400 |
---|---|---|
committer | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2021-05-26 10:01:22 -0400 |
commit | c6a1199dcd65fdf2eb1c49295bfcc02932b5ae75 (patch) | |
tree | 031c3cb3301f1218be0336f7a602b906ad940a3c /b4 | |
parent | 59c5614e36a343e57326e6190ee33e871f6052ad (diff) | |
download | b4-c6a1199dcd65fdf2eb1c49295bfcc02932b5ae75.tar.gz |
Check uids on the key when using default keyring
When the signature is validated using the default keyring, run an
additional check on the UIDs and show the discrepancy if the identity
used in the X-Developer-Signature header is different from the UIDs we
have on the key.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Diffstat (limited to 'b4')
-rw-r--r-- | b4/__init__.py | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/b4/__init__.py b/b4/__init__.py index c39a905..3906291 100644 --- a/b4/__init__.py +++ b/b4/__init__.py @@ -1067,9 +1067,22 @@ class LoreMessage: logger.debug('Loading patatt attestations with sources=%s', str(sources)) attestations = patatt.validate_message(self.msg.as_bytes(), sources) - for passing, identity, signtime, keysrc, keyalgo, errors in attestations: + for result, identity, signtime, keysrc, keyalgo, errors in attestations: + if keysrc and keysrc.startswith('(default keyring)/'): + fpr = keysrc.split('/', 1)[1] + uids = get_gpg_uids(fpr) + idmatch = False + for uid in uids: + if uid.find(identity) >= 0: + idmatch = True + break + if not idmatch: + # Take the first identity in the list and use that instead + parts = email.utils.parseaddr(uids[0]) + identity = parts[1] + signdt = LoreAttestor.parse_ts(signtime) - attestor = LoreAttestorPatatt(passing, identity, signdt, keysrc, keyalgo, errors) + attestor = LoreAttestorPatatt(result, identity, signdt, keysrc, keyalgo, errors) self._attestors.append(attestor) def get_attestation_trailers(self, attpolicy: str, maxdays: int = 0) -> Tuple[str, list, bool]: |