Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Differentiate between empty or no fingerprint #558

Closed
wants to merge 2 commits into from

Conversation

koplas
Copy link
Contributor

@koplas koplas commented Aug 8, 2024

This pull request introduces an API change, which allows for a better diagnosis of fingerprint errors.

@koplas koplas requested a review from JanHoefelmeyer August 8, 2024 10:25
cmd/csaf_checker/processor.go Outdated Show resolved Hide resolved
@koplas koplas force-pushed the fingerprint branch 2 times, most recently from 7f0041f to 9037574 Compare August 8, 2024 10:43
@tschmidtb51
Copy link
Collaborator

Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?

@koplas
Copy link
Contributor Author

koplas commented Aug 10, 2024

Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?

No, in this implementation, both cases are handled the same. To separate both cases, csaf.PGPKey needs to be changed, which affects the public API.

@tschmidtb51
Copy link
Collaborator

Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?

No, in this implementation, both cases are handled the same. To separate both cases, csaf.PGPKey needs to be changed, which affects the public API.

In future versions, we should differentiate that.
@bernhardreiter / @s-l-teichmann: Please decide when it makes most sense to implemented this.

@bernhardreiter
Copy link
Member

Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?

To separate both cases, csaf.PGPKey needs to be changed, which affects the public API.

Then we should not implement it for 3.x as we would need to go to version 4 if we change the public API. @koplas can you implement a version that just gives more details for 3.x? (Please do not put in unrelated whitespace changes.)

@tschmidtb51 wrote:

In future versions, we should differentiate that.

If I understand the schema correctly there is a "minLength": 40 in place. So I'd expect an empty fingerprint value would violate the schema. So I expect both cases to result into to different messages. @koplas can you test what happens with an empty fingerprint value in the current code?

@bernhardreiter bernhardreiter requested review from s-l-teichmann and removed request for JanHoefelmeyer and s-l-teichmann September 4, 2024 15:05
@bernhardreiter bernhardreiter dismissed s-l-teichmann’s stale review September 4, 2024 15:05

this has been improved

@bernhardreiter bernhardreiter requested review from s-l-teichmann and removed request for s-l-teichmann September 4, 2024 15:06
@bernhardreiter bernhardreiter marked this pull request as draft September 4, 2024 15:07
@bernhardreiter
Copy link
Member

(@s-l-teichmann sorry for the back and forth of your review. It has been addressed and I am trying to remove you as a requested reviewer, which somehow does not work.)

@koplas koplas changed the base branch from main to fingerprint-no-breaking September 6, 2024 08:08
@koplas koplas changed the title Improve PGP fingerprint handling Differentiate between empty or no fingerprint Sep 6, 2024
@koplas
Copy link
Contributor Author

koplas commented Sep 6, 2024

If I understand the schema correctly there is a "minLength": 40 in place. So I'd expect an empty fingerprint value would violate the schema. So I expect both cases to result into to different messages. @koplas can you test what happens with an empty fingerprint value in the current code?

If the fingerprint is empty, the csaf_checker prints the following error message:

2024/09/06 17:45:27 Could not parse the Provider-Metadata.json of: xxx
{
  "version": "3.0.1-40-g3f9a820",
  "date": "2024-09-06T15:45:26.49410493Z"
}

Using the csaf_downloader will result in

{"time":"2024-09-06T17:51:38+02:00","level":"ERROR","msg":"Loading provider-metadata.json","domain":"xxx","message":"https://xxx/.well-known/csaf/provider-metadata.json: Validating against JSON schema failed: <nil>"}
...
{"time":"2024-09-06T17:51:38+02:00","level":"INFO","msg":"error: no valid provider-metadata.json found for 'xxx'"}

No additional error messages are printed with this branch and the schema validation prevents the check for empty fingerprints.

For invalid fingerprints the csaf_checker reports:

        {
          "num": 20,
          "description": "Public OpenPGP Key",
          "messages": [
            {
              "type": 2,
              "text": "Given Fingerprint (\"B8914CA2F11139C6A69A0018FB3CD9B15DE61596\") of public OpenPGP key \"https://xxx/.well-known/csaf/openpgp/pubkey.asc\" does not match remotely loaded (\"a8914ca2f11139c6a69a0018fb3cd9b15de61596\")."
            },
            {
              "type": 0,
              "text": "No OpenPGP keys loaded."
            }
          ]
        }

And the csaf_downloader reports:

{"time":"2024-09-06T17:57:41+02:00","level":"WARN","msg":"Fingerprint of public OpenPGP key does not match remotely loaded","url":"https://xxx/.well-known/csaf/openpgp/pubkey.asc","fingerprint":"B8914CA2F11139C6A69A0018FB3CD9B15DE61596","remote-fingerprint":"a8914ca2f11139c6a69a0018fb3cd9b15de61596"}

@bernhardreiter
Copy link
Member

As discussed in #555 we won't be using this approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants