From 9037574d967da7ad80972edde4b74810c735e11c Mon Sep 17 00:00:00 2001 From: koplas <54645365+koplas@users.noreply.github.com> Date: Thu, 8 Aug 2024 12:17:58 +0200 Subject: [PATCH 1/3] Improve PGP fingerprint handling Warn if no fingerprint is specified and give more details, if fingerprint comparison fails. Closes #555 --- cmd/csaf_checker/processor.go | 9 +++++++-- cmd/csaf_downloader/downloader.go | 7 ++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go index 451a315c..b5f949e2 100644 --- a/cmd/csaf_checker/processor.go +++ b/cmd/csaf_checker/processor.go @@ -1449,7 +1449,7 @@ func (p *processor) checkWellknownSecurityDNS(domain string) error { } // checkPGPKeys checks if the OpenPGP keys are available and valid, fetches -// the the remotely keys and compares the fingerprints. +// the remotely keys and compares the fingerprints. // As a result of these a respective error messages are passed to badPGP method // in case of errors. It returns nil if all checks are passed. func (p *processor) checkPGPKeys(_ string) error { @@ -1518,8 +1518,13 @@ func (p *processor) checkPGPKeys(_ string) error { continue } + if key.Fingerprint == "" { + p.badPGPs.warn("No fingerprint for public OpenPGP key found.") + continue + } + if !strings.EqualFold(ckey.GetFingerprint(), string(key.Fingerprint)) { - p.badPGPs.error("Fingerprint of public OpenPGP key %s does not match remotely loaded.", u) + p.badPGPs.error("Given Fingerprint (%q) of public OpenPGP key %q does not match remotely loaded (%q).", string(key.Fingerprint), u, ckey.GetFingerprint()) continue } if p.keys == nil { diff --git a/cmd/csaf_downloader/downloader.go b/cmd/csaf_downloader/downloader.go index badf0605..a5eeb714 100644 --- a/cmd/csaf_downloader/downloader.go +++ b/cmd/csaf_downloader/downloader.go @@ -366,10 +366,15 @@ func (d *downloader) loadOpenPGPKeys( continue } + if key.Fingerprint == "" { + slog.Warn("No fingerprint for public OpenPGP key found.") + continue + } + if !strings.EqualFold(ckey.GetFingerprint(), string(key.Fingerprint)) { slog.Warn( "Fingerprint of public OpenPGP key does not match remotely loaded", - "url", u) + "url", u, "fingerprint", key.Fingerprint, "remote-fingerprint", ckey.GetFingerprint()) continue } if d.keys == nil { From c2e24f7bbb1b49f5bcdd6163aad4b03e05398f31 Mon Sep 17 00:00:00 2001 From: koplas Date: Fri, 6 Sep 2024 18:18:37 +0200 Subject: [PATCH 2/3] Remove check for empty fingerprint The schema validation already catches this error and this check will never run. --- cmd/csaf_checker/processor.go | 5 ----- cmd/csaf_downloader/downloader.go | 5 ----- 2 files changed, 10 deletions(-) diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go index b5f949e2..d05a9ec3 100644 --- a/cmd/csaf_checker/processor.go +++ b/cmd/csaf_checker/processor.go @@ -1518,11 +1518,6 @@ func (p *processor) checkPGPKeys(_ string) error { continue } - if key.Fingerprint == "" { - p.badPGPs.warn("No fingerprint for public OpenPGP key found.") - continue - } - if !strings.EqualFold(ckey.GetFingerprint(), string(key.Fingerprint)) { p.badPGPs.error("Given Fingerprint (%q) of public OpenPGP key %q does not match remotely loaded (%q).", string(key.Fingerprint), u, ckey.GetFingerprint()) continue diff --git a/cmd/csaf_downloader/downloader.go b/cmd/csaf_downloader/downloader.go index a5eeb714..7e074490 100644 --- a/cmd/csaf_downloader/downloader.go +++ b/cmd/csaf_downloader/downloader.go @@ -366,11 +366,6 @@ func (d *downloader) loadOpenPGPKeys( continue } - if key.Fingerprint == "" { - slog.Warn("No fingerprint for public OpenPGP key found.") - continue - } - if !strings.EqualFold(ckey.GetFingerprint(), string(key.Fingerprint)) { slog.Warn( "Fingerprint of public OpenPGP key does not match remotely loaded", From 5231b3386b8126b248cc8cc9be451063caa17aab Mon Sep 17 00:00:00 2001 From: Bernhard Reiter Date: Sat, 7 Sep 2024 09:58:14 +0200 Subject: [PATCH 3/3] docs: improve code comment (minor) --- cmd/csaf_checker/processor.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go index d05a9ec3..c0034ca9 100644 --- a/cmd/csaf_checker/processor.go +++ b/cmd/csaf_checker/processor.go @@ -1449,9 +1449,9 @@ func (p *processor) checkWellknownSecurityDNS(domain string) error { } // checkPGPKeys checks if the OpenPGP keys are available and valid, fetches -// the remotely keys and compares the fingerprints. -// As a result of these a respective error messages are passed to badPGP method -// in case of errors. It returns nil if all checks are passed. +// the remote pubkeys and compares the fingerprints. +// As a result of these checks respective error messages are passed +// to badPGP methods. It returns nil if all checks are passed. func (p *processor) checkPGPKeys(_ string) error { p.badPGPs.use()