-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing fingerprint in PMD leads to an error #555
Comments
The message comes from our source code, here are the relevant places |
The code compares that for a PMD section like this: {
"public_openpgp_keys": [
{
"fingerprint": "804FED63730227FF2FB6D9712EA2477380F3EDCB",
"url": "https://intevation.de/.well-known/csaf/openpgp/804FED63730227FF2FB6D9712EA2477380F3EDCB.asc"
}
]
} the fingerprint calculated from the downloaded file from the URL matches the given string for |
The following patch adds more detail to the checker output: diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
index 451a315..b0929a8 100644
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@@ -1519,7 +1519,7 @@ func (p *processor) checkPGPKeys(_ string) error {
}
if !strings.EqualFold(ckey.GetFingerprint(), string(key.Fingerprint)) {
- p.badPGPs.error("Fingerprint of public OpenPGP key %s does not match remotely loaded.", u)
+ p.badPGPs.error("Given Fingerprint ('%s') of public OpenPGP key %s does not match remotely loaded ('%s').", string(key.Fingerprint), u, ckey.GetFingerprint())
continue
}
if p.keys == nil { Edit: |
Looking at https://docs.oasis-open.org/csaf/csaf/v2.0/provider_json_schema.json "public_openpgp_keys": {
"title": "List of public OpenPGP keys",
"description": "Contains a list of OpenPGP keys used to sign CSAF documents.",
"type": "array",
"items": {
"title": "PGP keys",
"description": "Contains all information about an OpenPGP key used to sign CSAF documents.",
"type": "object",
"required": [
"url"
],
"properties": {
"fingerprint": {
"title": "Fingerprint of the key",
"description": "Contains the fingerprint of the OpenPGP key.",
"type": "string",
"minLength": 40,
"pattern": "^[0-9a-fA-F]{40,}$"
},
"url": {
"title": "URL of the key",
"description": "Contains the URL where the key can be retrieved.",
"$ref": "#/$defs/url_t"
}
}
}
} The schema does not seem to mandate the fingerprint, which is in contrast to Example 124 (see https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#717-requirement-7-provider-metadatajson) which is labled Minimal but contains a So either the Standard needs a small correction or the schema. The checker acts more like the standard. |
The checker will check all signatures against the pubkeys provided in the PMD. So the message @tschmidtb51 are all questions answered for you? As followup and part of this issue should we:
|
Yes. Thank you for the fast analysis.
Yes. Please do so.
Already done in oasis-tcs/csaf#764 (I took the liberty to copy your analysis.). |
As oasis-tcs/csaf#764 says:
we will turn a missing fingerprint into a warning. So we have to change the implementation in two ways: And checking that it works in all places where this is considered, at least checker and downloader. |
Warn if no fingerprint is specified and give more details, if fingerprint comparison fails. Closes #555
Warn if no fingerprint is specified and give more details, if fingerprint comparison fails. Closes #555
#558 is back to draft, as we need a version without API change for 3.x. |
@koplas thanks for doing the test in #558. The test shows that an empty fingerprint will already hit the schema test barrier. Can you do a merge request that does not change the public API, but adds the additional details for a missing or unmatching fingerprint next? That would be a siginificant improvement for the analysis and we can release it with the next 3.x release. We should then open a new issue with the wish to improve diagnostics when there is an empty fingerprint and discuss technical options there. One option is to see if we can get more details about the failed schema check to users. |
Today, I came across a weird report regarding OpenPGP stating:
In the same report, it says:
That does not make sense to me: Either the OpenPGP key couldn't be loaded (then one can't check signatures) or the OpenPGP key was loaded. Also, it is not quite clear to me what "Fingerprint of public OpenPGP key https://example.com/.well-known/csaf/openpgp/4C071FE3584D1E7CD70FE8B2CF9436A769B3A45B.asc does not match remotely loaded." mean. Where does the fingerprint come from?
(Sorry, I needed to redact some values for privacy concerns.)
The text was updated successfully, but these errors were encountered: