improve GPG error messages

e.g., when encoutering a key that is self-signed with SHA-1 (which is not that uncommon for non-distro repositories that have an old key), instead of the following: ----8<---- Fetching Release/Release.gpg files -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release.gpg'.. -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release'.. Verifying 'Release(.gpg)' signature using provided repository key.. Subkey of 08B73419AC32B4E966C1A330E84AC2C0460F3994 not bound: No binding signature at time 2022-10-17T22:41:10Z Error: encountered 1 error(s) ---->8---- which only gives us a rought idea that something is wrong with a key signature, we now get the following: ----8<---- Fetching Release/Release.gpg files -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release.gpg'.. -> GET 'https://download.ceph.com/debian-quincy//dists/bullseye/Release'.. Verifying 'Release(.gpg)' signature using provided repository key.. Subkey of 08B73419AC32B4E966C1A330E84AC2C0460F3994 not bound: No binding signature at time 2022-10-17T22:41:10Z Caused by: 0: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance 1: SHA1 is not considered secure since 2023-02-01T00:00:00Z Error: No valid signature found. ---->8---- which shows us that the key signature was rejected because it's SHA-1, and the (default and currently only) policy doesn't allow that (anymore). the output is also improved in case the Release file is signed multiple times and none of the signatures are accepted. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-08-16 08:20:40 +00:00 · 2023-04-04 09:48:20 +02:00 · 2023-04-04 09:48:20 +02:00 · c71d434935
commit c71d434935
parent ab7b070305
1 changed files with 30 additions and 5 deletions
--- a/src/helpers/verifier.rs
+++ b/src/helpers/verifier.rs
@ -3,8 +3,8 @@ use anyhow::{bail, Error};
 use sequoia_openpgp::{
    parse::{
        stream::{
-            DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationHelper,
-            VerifierBuilder,
+            DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
+            VerificationHelper, VerifierBuilder,
        },
        Parse,
    },
@ -53,10 +53,35 @@ impl<'a> VerificationHelper for Helper<'a> {
        if good {
            Ok(()) // Good signature.
        } else {
-            for err in &errors {
-                eprintln!("\t{err}");
+            if errors.len() > 1 {
+                eprintln!("\nEncountered {} errors:", errors.len());
            }
-            Err(anyhow::anyhow!("encountered {} error(s)", errors.len()))
+
+            for (n, err) in errors.iter().enumerate() {
+                if errors.len() > 1 {
+                    eprintln!("\nSignature #{n}: {err}");
+                } else {
+                    eprintln!("\n{err}");
+                }
+                match err {
+                    VerificationError::MalformedSignature { error, .. }
+                    | VerificationError::UnboundKey { error, .. }
+                    | VerificationError::BadKey { error, .. }
+                    | VerificationError::BadSignature { error, .. } => {
+                        let mut cause = error.chain();
+                        if cause.len() > 1 {
+                            cause.next(); // already included in `err` above
+                            eprintln!("Caused by:");
+                            for (n, e) in cause.enumerate() {
+                                eprintln!("\t{n}: {e}");
+                            }
+                        }
+                    }
+                    VerificationError::MissingKey { .. } => {} // doesn't contain a cause
+                };
+            }
+            eprintln!();
+            Err(anyhow::anyhow!("No valid signature found."))
        }
    }
 }