tschmidtb51
commented
3 months ago Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?
Closed koplas closed 2 months ago
tschmidtb51
commented
3 months ago Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?
koplas
commented
3 months ago Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?
No, in this implementation, both cases are handled the same. To separate both cases, csaf.PGPKey needs to be changed, which affects the public API.
tschmidtb51
commented
3 months ago Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?
No, in this implementation, both cases are handled the same. To separate both cases,
csaf.PGPKeyneeds to be changed, which affects the public API.
In future versions, we should differentiate that. @bernhardreiter / @s-l-teichmann: Please decide when it makes most sense to implemented this.
bernhardreiter
commented
2 months ago Is the case "no fingerprint is given for this key" differentiated from "an empty fingerprint is given for this key"?
To separate both cases,
csaf.PGPKeyneeds to be changed, which affects the public API.
Then we should not implement it for 3.x as we would need to go to version 4 if we change the public API. @koplas can you implement a version that just gives more details for 3.x? (Please do not put in unrelated whitespace changes.)
@tschmidtb51 wrote:
In future versions, we should differentiate that.
If I understand the schema correctly there is a "minLength": 40 in place. So I'd expect an empty fingerprint value would violate the schema. So I expect both cases to result into to different messages. @koplas can you test what happens with an empty fingerprint value in the current code?
bernhardreiter
commented
2 months ago (@s-l-teichmann sorry for the back and forth of your review. It has been addressed and I am trying to remove you as a requested reviewer, which somehow does not work.)
koplas
commented
2 months ago If I understand the schema correctly there is a
"minLength": 40in place. So I'd expect an empty fingerprint value would violate the schema. So I expect both cases to result into to different messages. @koplas can you test what happens with an empty fingerprint value in the current code?
If the fingerprint is empty, the csaf_checker prints the following error message:
2024/09/06 17:45:27 Could not parse the Provider-Metadata.json of: xxx
{
"version": "3.0.1-40-g3f9a820",
"date": "2024-09-06T15:45:26.49410493Z"
}Using the csaf_downloader will result in
{"time":"2024-09-06T17:51:38+02:00","level":"ERROR","msg":"Loading provider-metadata.json","domain":"xxx","message":"https://xxx/.well-known/csaf/provider-metadata.json: Validating against JSON schema failed: <nil>"}
...
{"time":"2024-09-06T17:51:38+02:00","level":"INFO","msg":"error: no valid provider-metadata.json found for 'xxx'"}No additional error messages are printed with this branch and the schema validation prevents the check for empty fingerprints.
For invalid fingerprints the csaf_checker reports:
{
"num": 20,
"description": "Public OpenPGP Key",
"messages": [
{
"type": 2,
"text": "Given Fingerprint (\"B8914CA2F11139C6A69A0018FB3CD9B15DE61596\") of public OpenPGP key \"https://xxx/.well-known/csaf/openpgp/pubkey.asc\" does not match remotely loaded (\"a8914ca2f11139c6a69a0018fb3cd9b15de61596\")."
},
{
"type": 0,
"text": "No OpenPGP keys loaded."
}
]
}And the csaf_downloader reports:
{"time":"2024-09-06T17:57:41+02:00","level":"WARN","msg":"Fingerprint of public OpenPGP key does not match remotely loaded","url":"https://xxx/.well-known/csaf/openpgp/pubkey.asc","fingerprint":"B8914CA2F11139C6A69A0018FB3CD9B15DE61596","remote-fingerprint":"a8914ca2f11139c6a69a0018fb3cd9b15de61596"}As discussed in #555 we won't be using this approach.
This pull request introduces an API change, which allows for a better diagnosis of fingerprint errors.