Check uids on the key when using default keyring

When the signature is validated using the default keyring, run an
additional check on the UIDs and show the discrepancy if the identity
used in the X-Developer-Signature header is different from the UIDs we
have on the key.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>

1 files changed, 15 insertions, 2 deletions

diff --git a/b4/__init__.py b/b4/__init__.py
index c39a905..3906291 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -1067,9 +1067,22 @@ class LoreMessage:
         logger.debug('Loading patatt attestations with sources=%s', str(sources))
 
         attestations = patatt.validate_message(self.msg.as_bytes(), sources)
-        for passing, identity, signtime, keysrc, keyalgo, errors in attestations:
+        for result, identity, signtime, keysrc, keyalgo, errors in attestations:
+            if keysrc and keysrc.startswith('(default keyring)/'):
+                fpr = keysrc.split('/', 1)[1]
+                uids = get_gpg_uids(fpr)
+                idmatch = False
+                for uid in uids:
+                    if uid.find(identity) >= 0:
+                        idmatch = True
+                        break
+                if not idmatch:
+                    # Take the first identity in the list and use that instead
+                    parts = email.utils.parseaddr(uids[0])
+                    identity = parts[1]
+
             signdt = LoreAttestor.parse_ts(signtime)
-            attestor = LoreAttestorPatatt(passing, identity, signdt, keysrc, keyalgo, errors)
+            attestor = LoreAttestorPatatt(result, identity, signdt, keysrc, keyalgo, errors)
             self._attestors.append(attestor)
 
     def get_attestation_trailers(self, attpolicy: str, maxdays: int = 0) -> Tuple[str, list, bool]: