Improve parser result for impropper signed message

[bwbroersma]

We had a problem with some agency having a valid PGP signed message, but starting with white space, which is not valid according to https://www.rfc-editor.org/rfc/rfc9116#section-4:

body             =  signed / unsigned

unsigned       =  *line (contact-field eol) ; one or more required
                  *line (expires-field eol) ; exactly one required
                  *line [lang-field eol] *line ; exactly one optional
                  ; order of fields within the file is not important
                  ; except that if contact-field appears more
                  ; than once, the order of those indicates
                  ; priority (see Section 3.5.3)

; signed is the production that should match the OpenPGP clearsigned
; document
signed           =  cleartext-header
                    1*(hash-header)
                    CRLF
                    cleartext
                    signature

cleartext-header =  %s"-----BEGIN PGP SIGNED MESSAGE-----" CRLF

However, it can still have a valid PGP signature.

That was the start of the confusion, since internet.nl then generates lot's of errors (for every PGP line!), e.g.:

Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 2)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 26)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 30)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 31)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 32)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 33)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 34)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 35)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 36)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 37)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 38)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 39)
Error: Line must contain a field name and value, unless the line is blank or contains a comment. (line 40)
Recommendation: security.txt contains an unknown field.  Either this is a custom field which may not be widely supported, or  there is a typo in a standardised field name. (line 3)
Recommendation: Date and time in 'Expires' field should be less than a year into the future. (line 24)
Recommendation: security.txt contains an unknown field.  Either this is a custom field which may not be widely supported, or  there is a typo in a standardised field name. (line 27)
Recommendation: security.txt contains an unknown field.  Either this is a custom field which may not be widely supported, or  there is a typo in a standardised field name. (line 28)
Recommendation: security.txt should be digitally signed.

Which lines would correspond with:

 2 -----BEGIN PGP SIGNED MESSAGE-----
 3 Hash: SHA512
26 -----BEGIN PGP SIGNATURE-----
27 Version: ***
28 Charset: utf-8
30 base64...
31 base64...
32 base64...
33 base64...
34 base64...
35 base64...
36 base64...
37 base64...
38 base64...
39 base64...
40 -----END PGP SIGNATURE-----   

The user did not initially understand that it just needed to remove the initial white space (\r\n), so that

grep -b '^-----BEGIN PGP SIGNED MESSAGE-----' security.txt
0:-----BEGIN PGP SIGNED MESSAGE-----

It would be nice to detect this 'special' misconfiguration of security.txt, since I can see it happening more often, and then generate a complain problem on internet.nl.

[DigitalTrustCenter]

Thank you for reporting this issue.

We looked into it and agree that this situation could be confusing. We have added an additional error signed_format_issue, if the signed file is not formatted correctly than the error will be shown with the message "Signed security.txt files must start with the begin pgp signed message as the document header" and it will not have the line errors or unknown field recommendations that it currently would show.

This addition is added in version 0.8.1

[bwbroersma]

Link to commit of the fix: https://github.com/DigitalTrustCenter/sectxt/commit/0143a961d11b2dd1f26c22e0dc0d990c134d7a1c