From c6a1199dcd65fdf2eb1c49295bfcc02932b5ae75 Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Wed, 26 May 2021 10:01:22 -0400 Subject: Check uids on the key when using default keyring When the signature is validated using the default keyring, run an additional check on the UIDs and show the discrepancy if the identity used in the X-Developer-Signature header is different from the UIDs we have on the key. Signed-off-by: Konstantin Ryabitsev --- b4/__init__.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'b4') diff --git a/b4/__init__.py b/b4/__init__.py index c39a905..3906291 100644 --- a/b4/__init__.py +++ b/b4/__init__.py @@ -1067,9 +1067,22 @@ class LoreMessage: logger.debug('Loading patatt attestations with sources=%s', str(sources)) attestations = patatt.validate_message(self.msg.as_bytes(), sources) - for passing, identity, signtime, keysrc, keyalgo, errors in attestations: + for result, identity, signtime, keysrc, keyalgo, errors in attestations: + if keysrc and keysrc.startswith('(default keyring)/'): + fpr = keysrc.split('/', 1)[1] + uids = get_gpg_uids(fpr) + idmatch = False + for uid in uids: + if uid.find(identity) >= 0: + idmatch = True + break + if not idmatch: + # Take the first identity in the list and use that instead + parts = email.utils.parseaddr(uids[0]) + identity = parts[1] + signdt = LoreAttestor.parse_ts(signtime) - attestor = LoreAttestorPatatt(passing, identity, signdt, keysrc, keyalgo, errors) + attestor = LoreAttestorPatatt(result, identity, signdt, keysrc, keyalgo, errors) self._attestors.append(attestor) def get_attestation_trailers(self, attpolicy: str, maxdays: int = 0) -> Tuple[str, list, bool]: -- cgit v1.2.3