validation: Report lack of signature

Message ID	20211002025717.3337059-1-keescook@chromium.org (mailing list archive)
State	New, archived
Headers	show Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1CEC29CA for <tools@linux.kernel.org>; Sat, 2 Oct 2021 02:57:36 +0000 (UTC) From: Kees Cook <keescook@chromium.org> To: Konstantin Ryabitsev <konstantin@linuxfoundation.org> Cc: Kees Cook <keescook@chromium.org>, tools@linux.kernel.org Subject: [PATCH] validation: Report lack of signature Date: Fri, 1 Oct 2021 19:57:17 -0700 Message-Id: <20211002025717.3337059-1-keescook@chromium.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	validation: Report lack of signature \| expand validation: Report lack of signature

Message ID

20211002025717.3337059-1-keescook@chromium.org (mailing list archive)

State

New, archived

Headers

From: Kees Cook <keescook@chromium.org>
To: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Cc: Kees Cook <keescook@chromium.org>,
	tools@linux.kernel.org
Subject: [PATCH] validation: Report lack of signature
Date: Fri,  1 Oct 2021 19:57:17 -0700
Message-Id: <20211002025717.3337059-1-keescook@chromium.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

validation: Report lack of signature | expand

Commit Message

Kees Cook Oct. 2, 2021, 2:57 a.m. UTC

If we're trying to cryptographically validate a message, not having a
signature is not a success (exit 0). Use a specific return code for this
condition and report it.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 patatt/__init__.py | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Konstantin Ryabitsev Oct. 4, 2021, 8:41 p.m. UTC | #1

On Fri, 1 Oct 2021 19:57:17 -0700, Kees Cook wrote:
> If we're trying to cryptographically validate a message, not having a
> signature is not a success (exit 0). Use a specific return code for this
> condition and report it.
> 
> 

Applied, thanks!

[1/1] validation: Report lack of signature
      commit: 4870cf5db4325622ee68f6a47f920e5faea3ffff

Best regards,

diff --git a/patatt/__init__.py b/patatt/__init__.py
index 41b7dfda6b75..5d880bcf32b1 100644
--- a/patatt/__init__.py
+++ b/patatt/__init__.py
@@ -36,6 +36,7 @@  DEVKEY_HDR = b'X-Developer-Key'
 
 # Result and severity levels
 RES_VALID = 0
+RES_NOSIG = 4
 RES_NOKEY = 8
 RES_ERROR = 16
 RES_BADSIG = 32
@@ -919,6 +920,7 @@  def validate_message(msgdata: bytes, sources: list, trim_body: bool = False) ->
     pm = PatattMessage(msgdata)
     if not pm.signed:
         logger.debug('message is not signed')
+        attestations.append((RES_NOSIG, None, None, None, None, ['no signatures found']))
         return attestations
 
     # Find all identities for which we have public keys
@@ -1019,6 +1021,10 @@  def cmd_validate(cmdargs, config: dict):
                         logger.info('       | key: %s', keysrc)
                     else:
                         logger.info('       | key: default GnuPG keyring')
+                elif result <= RES_NOSIG:
+                    logger.critical(' NOSIG | %s', fn)
+                    for error in errors:
+                        logger.critical('       | %s', error)
                 elif result <= RES_NOKEY:
                     logger.critical(' NOKEY | %s, %s', identity, fn)
                     for error in errors:

validation: Report lack of signature

Commit Message

Comments

Patch