Be more verbose in case of signature check failures (#361)

* Simplify handling of signature keys. Be more verbose in case of signature check failures. * Fixed check for having no OpenPGP loaded
2025-12-22 11:55:40 +01:00 · 2023-05-05 15:02:53 +02:00 · 2023-05-05 15:02:53 +02:00 · c263391821
commit c263391821
parent f32fba683d
2 changed files with 17 additions and 20 deletions
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@ -51,7 +51,7 @@ type processor struct {
 	pmdURL         string
 	pmd256         []byte
 	pmd            any
-	keys           []*crypto.KeyRing
+	keys           *crypto.KeyRing

 	invalidAdvisories    topicMessages
 	badFilenames         topicMessages
@ -458,7 +458,7 @@ func (p *processor) integrity(
 			// Check if we are in checking time interval.
 			if p.ageAccept != nil && !p.ageAccept(
 				time.Date(
-					year, 12, 31, // Assume last day og year.
+					year, 12, 31, // Assume last day of year.
 					23, 59, 59, 0, // 23:59:59
 					time.UTC)) {
 				continue
@ -621,18 +621,11 @@ func (p *processor) integrity(
 			continue
 		}

-		if len(p.keys) > 0 {
+		if p.keys != nil {
 			pm := crypto.NewPlainMessage(data.Bytes())
 			t := crypto.GetUnixTime()
-			var verified bool
-			for _, key := range p.keys {
-				if err := key.VerifyDetached(pm, sig, t); err == nil {
-					verified = true
-					break
-				}
-			}
-			if !verified {
-				p.badSignatures.error("Signature of %s could not be verified.", u)
+			if err := p.keys.VerifyDetached(pm, sig, t); err != nil {
+				p.badSignatures.error("Signature of %s could not be verified: %v.", u, err)
 			}
 		}
 	}
@ -1369,15 +1362,18 @@ func (p *processor) checkPGPKeys(_ string) error {
 			p.badPGPs.error("Fingerprint of public OpenPGP key %s does not match remotely loaded.", u)
 			continue
 		}
-		keyring, err := crypto.NewKeyRing(ckey)
-		if err != nil {
+		if p.keys == nil {
+			if keyring, err := crypto.NewKeyRing(ckey); err != nil {
 				p.badPGPs.error("Creating store for public OpenPGP key %s failed: %v.", u, err)
-			continue
+			} else {
+				p.keys = keyring
+			}
+		} else {
+			p.keys.AddKey(ckey)
 		}
-		p.keys = append(p.keys, keyring)
 	}

-	if len(p.keys) == 0 {
+	if p.keys == nil {
 		p.badPGPs.info("No OpenPGP keys loaded.")
 	}
 	return nil
--- a/cmd/csaf_checker/reporters.go
+++ b/cmd/csaf_checker/reporters.go
@ -301,7 +301,8 @@ func (r *publicPGPKeyReporter) report(p *processor, domain *Domain) {
 		return
 	}
 	req.Messages = p.badPGPs
-	if len(p.keys) > 0 {
-		req.message(InfoType, fmt.Sprintf("%d public OpenPGP key(s) loaded.", len(p.keys)))
+	if p.keys != nil {
+		req.message(InfoType, fmt.Sprintf("%d public OpenPGP key(s) loaded.",
+			p.keys.CountEntities()))
 	}
 }