From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2F55F91C88 for ; Tue, 4 Apr 2023 09:48:33 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D42DE19225 for ; Tue, 4 Apr 2023 09:48:32 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 4 Apr 2023 09:48:30 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id DE6D245812 for ; Tue, 4 Apr 2023 09:48:29 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Tue, 4 Apr 2023 09:48:20 +0200 Message-Id: <20230404074821.3765099-2-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230404074821.3765099-1-f.gruenbichler@proxmox.com> References: <20230404074821.3765099-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.072 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH proxmox-offline-mirror 1/2] improve GPG error messages X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2023 07:48:33 -0000 e.g., when encoutering a key that is self-signed with SHA-1 (which is not that uncommon for non-distro repositories that have an old key), instead of the following: ----8<---- Fetching Release/Release.gpg files -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release.gpg'.. -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release'.. Verifying 'Release(.gpg)' signature using provided repository key.. Subkey of 08B73419AC32B4E966C1A330E84AC2C0460F3994 not bound: No binding signature at time 2022-10-17T22:41:10Z Error: encountered 1 error(s) ---->8---- which only gives us a rought idea that something is wrong with a key signature, we now get the following: ----8<---- Fetching Release/Release.gpg files -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release.gpg'.. -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release'.. Verifying 'Release(.gpg)' signature using provided repository key.. Subkey of 08B73419AC32B4E966C1A330E84AC2C0460F3994 not bound: No binding signature at time 2022-10-17T22:41:10Z Caused by: 0: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance 1: SHA1 is not considered secure since 2023-02-01T00:00:00Z Error: No valid signature found. ---->8---- which shows us that the key signature was rejected because it's SHA-1, and the (default and currently only) policy doesn't allow that (anymore). the output is also improved in case the Release file is signed multiple times and none of the signatures are accepted. Signed-off-by: Fabian Grünbichler --- src/helpers/verifier.rs | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs index 57bfd1b..131bccd 100644 --- a/src/helpers/verifier.rs +++ b/src/helpers/verifier.rs @@ -3,8 +3,8 @@ use anyhow::{bail, Error}; use sequoia_openpgp::{ parse::{ stream::{ - DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationHelper, - VerifierBuilder, + DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError, + VerificationHelper, VerifierBuilder, }, Parse, }, @@ -53,10 +53,35 @@ impl<'a> VerificationHelper for Helper<'a> { if good { Ok(()) // Good signature. } else { - for err in &errors { - eprintln!("\t{err}"); + if errors.len() > 1 { + eprintln!("\nEncountered {} errors:", errors.len()); } - Err(anyhow::anyhow!("encountered {} error(s)", errors.len())) + + for (n, err) in errors.iter().enumerate() { + if errors.len() > 1 { + eprintln!("\nSignature #{n}: {err}"); + } else { + eprintln!("\n{err}"); + } + match err { + VerificationError::MalformedSignature { error, .. } + | VerificationError::UnboundKey { error, .. } + | VerificationError::BadKey { error, .. } + | VerificationError::BadSignature { error, .. } => { + let mut cause = error.chain(); + if cause.len() > 1 { + cause.next(); // already included in `err` above + eprintln!("Caused by:"); + for (n, e) in cause.enumerate() { + eprintln!("\t{n}: {e}"); + } + } + } + VerificationError::MissingKey { .. } => {} // doesn't contain a cause + }; + } + eprintln!(); + Err(anyhow::anyhow!("No valid signature found.")) } } } -- 2.30.2