pgp: do not fail on expired keys

Author: neolynx

deb/remote.go

@@ -417,7 +417,7 @@ func (repo *RemoteRepo) Fetch(d aptly.Downloader, verifier pgp.Verifier, ignoreS
 			return err
 		}
 
-		err = verifier.VerifyDetachedSignature(releasesig, release, true)
+		_, err = verifier.VerifyDetachedSignature(releasesig, release, true)
 		if err != nil {
 			return err
 		}
@@ -600,7 +600,7 @@ func (repo *RemoteRepo) DownloadPackageIndexes(progress aptly.Progress, d aptly.
 						return err
 					}
 
-					err = verifier.VerifyDetachedSignature(filesig, packagesFile, false)
+					_, err = verifier.VerifyDetachedSignature(filesig, packagesFile, false)
 					if err != nil {
 						return err
 					}

deb/remote_test.go

@@ -29,8 +29,8 @@ func (n *NullVerifier) InitKeyring(_ bool) error {
 func (n *NullVerifier) AddKeyring(keyring string) {
 }
 
-func (n *NullVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, hint bool) error {
-	return nil
+func (n *NullVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, hint bool) (*pgp.KeyInfo, error) {
+	return &pgp.KeyInfo{}, nil
 }
 
 func (n *NullVerifier) VerifyClearsigned(clearsigned io.Reader, hint bool) (*pgp.KeyInfo, error) {

pgp/gnupg.go

@@ -292,12 +292,12 @@ func (g *GpgVerifier) runGpgv(args []string, context string, showKeyTip bool) (*
 }
 
 // VerifyDetachedSignature verifies combination of signature and cleartext using gpgv
-func (g *GpgVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, showKeyTip bool) error {
+func (g *GpgVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, showKeyTip bool) (*KeyInfo, error) {
 	args := g.argsKeyrings()
 
 	sigf, err := os.CreateTemp("", "aptly-gpg")
 	if err != nil {
-		return err
+		return nil, err
 	}
 	defer func() {
 		_ = os.Remove(sigf.Name())
@@ -306,12 +306,12 @@ func (g *GpgVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, sh
 
 	_, err = io.Copy(sigf, signature)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	clearf, err := os.CreateTemp("", "aptly-gpg")
 	if err != nil {
-		return err
+		return nil, err
 	}
 	defer func() {
 		_ = os.Remove(clearf.Name())
@@ -320,12 +320,16 @@ func (g *GpgVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, sh
 
 	_, err = io.Copy(clearf, cleartext)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	args = append(args, sigf.Name(), clearf.Name())
 	_, err = g.runGpgv(args, "detached signature", showKeyTip)
-	return err
+	if err != nil {
+		return nil, err
+	}
+
+	return &KeyInfo{}, nil
 }
 
 // IsClearSigned returns true if file contains signature

pgp/internal.go

@@ -392,7 +392,7 @@ func (g *GoVerifier) printLog(signers []signatureResult) {
 }
 
 // VerifyDetachedSignature verifies combination of signature and cleartext using gpgv
-func (g *GoVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, showKeyTip bool) error {
+func (g *GoVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, showKeyTip bool) (*KeyInfo, error) {
 	var signatureBuf bytes.Buffer
 
 	signers, missingKeys, err := checkArmoredDetachedSignature(g.trustedKeyring, cleartext, io.TeeReader(signature, &signatureBuf))
@@ -409,16 +409,24 @@ func (g *GoVerifier) VerifyDetachedSignature(signature, cleartext io.Reader, sho
 	}
 
 	if err != nil {
-		return errors.Wrap(err, "failed to verify detached signature")
+		return nil, errors.Wrap(err, "failed to verify detached signature")
 	}
 
+	result := &KeyInfo{}
+
 	for _, signer := range signers {
-		if signer.Entity != nil && signer.IsExpired {
-			return errors.Errorf("signature key %s has expired", KeyFromUint64(signer.IssuerKeyID))
+		if signer.Entity != nil {
+			if signer.IsExpired {
+				result.ExpiredKeys = append(result.ExpiredKeys, KeyFromUint64(signer.IssuerKeyID))
+			} else {
+				result.GoodKeys = append(result.GoodKeys, KeyFromUint64(signer.IssuerKeyID))
+			}
+		} else {
+			result.MissingKeys = append(result.MissingKeys, KeyFromUint64(signer.IssuerKeyID))
 		}
 	}
 
-	return nil
+	return result, nil
 }
 
 // IsClearSigned returns true if file contains signature

pgp/pgp.go

@@ -54,7 +54,7 @@ type Signer interface {
 type Verifier interface {
 	InitKeyring(verbose bool) error
 	AddKeyring(keyring string)
-	VerifyDetachedSignature(signature, cleartext io.Reader, showKeyTip bool) error
+	VerifyDetachedSignature(signature, cleartext io.Reader, showKeyTip bool) (*KeyInfo, error)
 	IsClearSigned(clearsigned io.Reader) (bool, error)
 	VerifyClearsigned(clearsigned io.Reader, showKeyTip bool) (*KeyInfo, error)
 	ExtractClearsigned(clearsigned io.Reader) (text *os.File, err error)

pgp/sign_test.go

@@ -72,7 +72,7 @@ func (s *SignerSuite) testSignDetached(c *C) {
 	err := s.signer.DetachedSign(s.clearF.Name(), s.signedF.Name())
 	c.Assert(err, IsNil)
 
-	err = s.verifier.VerifyDetachedSignature(s.signedF, s.clearF, false)
+	_, err = s.verifier.VerifyDetachedSignature(s.signedF, s.clearF, false)
 	c.Assert(err, IsNil)
 }
 

pgp/verify_test.go

@@ -16,20 +16,25 @@ type VerifierSuite struct {
 func (s *VerifierSuite) TestVerifyDetached(c *C) {
 	for _, test := range []struct {
 		textName, signatureName string
+		expiredKeys             []Key
 	}{
-		{"1.text", "1.signature"},
-		{"2.text", "2.signature"},
-		{"3.text", "3.signature"},
-		{"4.text", "4.signature"},
+		{"1.text", "1.signature", nil},
+		{"2.text", "2.signature", nil},
+		{"3.text", "3.signature", nil},
+		// 4.signature is signed by an expired key (wheezy, 8B48AD6246925553)
+		{"4.text", "4.signature", []Key{"8B48AD6246925553"}},
 	} {
 		cleartext, err := os.Open(test.textName)
 		c.Assert(err, IsNil)
 
 		signature, err := os.Open(test.signatureName)
 		c.Assert(err, IsNil)
 
-		err = s.verifier.VerifyDetachedSignature(signature, cleartext, false)
+		keyInfo, err := s.verifier.VerifyDetachedSignature(signature, cleartext, false)
 		c.Assert(err, IsNil)
+		if test.expiredKeys != nil {
+			c.Check(keyInfo.ExpiredKeys, DeepEquals, test.expiredKeys)
+		}
 
 		_ = signature.Close()
 		_ = cleartext.Close()
@@ -47,8 +52,10 @@ func (s *VerifierSuite) TestVerifyClearsigned(c *C) {
 
 		keyInfo, err := s.verifier.VerifyClearsigned(clearsigned, false)
 		c.Assert(err, IsNil)
-		c.Check(keyInfo.GoodKeys, DeepEquals, []Key{"04EE7237B7D453EC", "648ACFD622F3D138", "DCC9EFBF77E11517"})
+		// 04EE7237B7D453EC (stretch) is expired and must appear in ExpiredKeys, not GoodKeys
+		c.Check(keyInfo.GoodKeys, DeepEquals, []Key{"648ACFD622F3D138", "DCC9EFBF77E11517"})
 		c.Check(keyInfo.MissingKeys, DeepEquals, []Key(nil))
+		c.Check(keyInfo.ExpiredKeys, DeepEquals, []Key{"04EE7237B7D453EC"})
 
 		_ = clearsigned.Close()
 	}