summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--b4/__init__.py33
-rw-r--r--b4/attest.py33
2 files changed, 41 insertions, 25 deletions
diff --git a/b4/__init__.py b/b4/__init__.py
index e50c8e3..2069e81 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -540,12 +540,15 @@ class LoreSeries:
if attpolicy in ('softfail', 'hardfail'):
logger.info(' %s %s', attfail, lmsg.full_subject)
failed = list()
- if not latt.pv:
- failed.append('patch content')
- if not latt.pm:
- failed.append('commit message')
- if not latt.pi:
- failed.append('patch metadata')
+ if latt and latt.lsig and latt.lsig.attestor and latt.lsig.attestor.mode == 'domain':
+ failed.append(latt.lsig.attestor.get_trailer())
+ else:
+ if not latt.pv:
+ failed.append('patch content')
+ if not latt.mv:
+ failed.append('commit message')
+ if not latt.iv:
+ failed.append('patch metadata')
atterrors.append('Patch %s/%s failed attestation (%s)' % (at, lmsg.expected,
', '.join(failed)))
else:
@@ -1473,8 +1476,10 @@ class LoreAttestorDKIM(LoreAttestor):
self.mode = 'domain'
super().__init__(keyid)
- def get_trailer(self, fromaddr): # noqa
- return 'DKIM/%s (From: %s)' % (self.keyid, fromaddr)
+ def get_trailer(self, fromaddr=None): # noqa
+ if fromaddr:
+ return 'DKIM/%s (From: %s)' % (self.keyid, fromaddr)
+ return 'DKIM/%s' % self.keyid
class LoreAttestorPGP(LoreAttestor):
@@ -1636,6 +1641,9 @@ class LoreAttestationSignatureDKIM(LoreAttestationSignature):
# self.native_verify()
# return
+ dks = self.msg.get('dkim-signature')
+ ddata = get_parts_from_header(dks)
+ self.attestor = LoreAttestorDKIM(ddata['d'])
# Do we have a resolve method?
if hasattr(_resolver, 'resolve'):
res = dkim.verify(self.msg.as_bytes(), dnsfunc=dkim_get_txt)
@@ -1647,9 +1655,6 @@ class LoreAttestationSignatureDKIM(LoreAttestationSignature):
self.good = True
# Grab toplevel signature that we just verified
- dks = self.msg.get('dkim-signature')
- ddata = get_parts_from_header(dks)
- self.attestor = LoreAttestorDKIM(ddata['d'])
self.valid = True
self.trusted = True
self.passing = True
@@ -1763,10 +1768,8 @@ class LoreAttestationSignaturePGP(LoreAttestationSignature):
if self.good and self.valid and self.trusted:
self.passing = True
-
- # A couple of final verifications
- self.verify_time_drift()
- # XXX: Need to verify identity domain
+ self.verify_time_drift()
+ # XXX: Need to verify identity domain
class LoreAttestation:
diff --git a/b4/attest.py b/b4/attest.py
index 8ae939e..d7fbc27 100644
--- a/b4/attest.py
+++ b/b4/attest.py
@@ -114,23 +114,36 @@ def mutt_filter() -> None:
if inb.find(b'X-Patch-Sig:') < 0:
sys.stdout.buffer.write(inb)
return
+ msg = email.message_from_bytes(inb)
try:
- msg = email.message_from_bytes(inb)
if msg.get('x-patch-sig'):
lmsg = b4.LoreMessage(msg)
lmsg.load_hashes()
latt = lmsg.attestation
- if latt and latt.validate(msg):
- trailer = latt.lsig.attestor.get_trailer(lmsg.fromemail)
- msg.add_header('Attested-By', trailer)
- # Delete the x-patch-hashes and x-patch-sig headers so
- # they don't boggle up the view
- for i in reversed(range(len(msg._headers))): # noqa
- hdrName = msg._headers[i][0].lower() # noqa
- if hdrName in ('x-patch-hashes', 'x-patch-sig'):
- del msg._headers[i] # noqa
+ if latt:
+ if latt.validate(msg):
+ trailer = latt.lsig.attestor.get_trailer(lmsg.fromemail)
+ msg.add_header('Attested-By', trailer)
+ elif latt.lsig:
+ if not latt.lsig.errors:
+ failed = list()
+ if not latt.pv:
+ failed.append('patch content')
+ if not latt.mv:
+ failed.append('commit message')
+ if not latt.iv:
+ failed.append('patch metadata')
+ latt.lsig.errors.add('signature failed (%s)' % ', '.join(failed))
+ msg.add_header('Attestation-Failed', ', '.join(latt.lsig.errors))
+ # Delete the x-patch-hashes and x-patch-sig headers so
+ # they don't boggle up the view
+ for i in reversed(range(len(msg._headers))): # noqa
+ hdrName = msg._headers[i][0].lower() # noqa
+ if hdrName in ('x-patch-hashes', 'x-patch-sig'):
+ del msg._headers[i] # noqa
except: # noqa
# Don't prevent email from being displayed even if we died horribly
sys.stdout.buffer.write(inb)
return
+
sys.stdout.buffer.write(msg.as_bytes(policy=b4.emlpolicy))