[pve-devel] [PATCH proxmox-offline-mirror 1/2] improve GPG error messages

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

e.g., when encoutering a key that is self-signed with SHA-1 (which is not that
uncommon for non-distro repositories that have an old key), instead of the
following:

----8<----
Fetching Release/Release.gpg files
-> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release.gpg'..
-> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release'..
Verifying 'Release(.gpg)' signature using provided repository key..
	Subkey of 08B73419AC32B4E966C1A330E84AC2C0460F3994 not bound: No binding signature at time 2022-10-17T22:41:10Z
Error: encountered 1 error(s)
---->8----

which only gives us a rought idea that something is wrong with a key signature,
we now get the following:

----8<----
Fetching Release/Release.gpg files
-> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release.gpg'..
-> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release'..
Verifying 'Release(.gpg)' signature using provided repository key..

Subkey of 08B73419AC32B4E966C1A330E84AC2C0460F3994 not bound: No binding signature at time 2022-10-17T22:41:10Z
Caused by:
	0: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
	1: SHA1 is not considered secure since 2023-02-01T00:00:00Z

Error: No valid signature found.
---->8----

which shows us that the key signature was rejected because it's SHA-1, and the
(default and currently only) policy doesn't allow that (anymore).

the output is also improved in case the Release file is signed multiple times
and none of the signatures are accepted.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/helpers/verifier.rs | 35 ++++++++++++++++++++++++++++++-----
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
index 57bfd1b..131bccd 100644
--- a/src/helpers/verifier.rs
+++ b/src/helpers/verifier.rs
@@ -3,8 +3,8 @@ use anyhow::{bail, Error};
 use sequoia_openpgp::{
     parse::{
         stream::{
-            DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationHelper,
-            VerifierBuilder,
+            DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
+            VerificationHelper, VerifierBuilder,
         },
         Parse,
     },
@@ -53,10 +53,35 @@ impl<'a> VerificationHelper for Helper<'a> {
         if good {
             Ok(()) // Good signature.
         } else {
-            for err in &errors {
-                eprintln!("\t{err}");
+            if errors.len() > 1 {
+                eprintln!("\nEncountered {} errors:", errors.len());
             }
-            Err(anyhow::anyhow!("encountered {} error(s)", errors.len()))
+
+            for (n, err) in errors.iter().enumerate() {
+                if errors.len() > 1 {
+                    eprintln!("\nSignature #{n}: {err}");
+                } else {
+                    eprintln!("\n{err}");
+                }
+                match err {
+                    VerificationError::MalformedSignature { error, .. }
+                    | VerificationError::UnboundKey { error, .. }
+                    | VerificationError::BadKey { error, .. }
+                    | VerificationError::BadSignature { error, .. } => {
+                        let mut cause = error.chain();
+                        if cause.len() > 1 {
+                            cause.next(); // already included in `err` above
+                            eprintln!("Caused by:");
+                            for (n, e) in cause.enumerate() {
+                                eprintln!("\t{n}: {e}");
+                            }
+                        }
+                    }
+                    VerificationError::MissingKey { .. } => {} // doesn't contain a cause
+                };
+            }
+            eprintln!();
+            Err(anyhow::anyhow!("No valid signature found."))
         }
     }
 }
-- 
2.30.2