From 9e442c386a375867ccc5d3f438c4a3a1e2fd5ec9 Mon Sep 17 00:00:00 2001
From: Reckless_Satoshi <90936742+Reckless-Satoshi@users.noreply.github.com>
Date: Sun, 7 Jul 2024 11:04:14 +0000
Subject: [PATCH] fix verify_signed_message (#1371)

verify_signed_message was not checking for the validity of the
signature. The documentation of python-gnupg is not clear about this, it
says that the fiels are set just if the signature is valid.
In this case tests/robots/1/signed_message was signed with the correct
key but with the wrong digest-algo (SHA256 instead of SHA512) as
expressed on the signature.
Running gpg --verify tests/robots/1/signed_message returned:
gpg: WARNING: signature digest conflict in message
gpg: Can't check signature: General error
and a non zero error code, but verify_signed_message was not catching
this because verified.fingerprint was set even though verified.valid was
False.

Co-authored-by: jerryfletcher21 <jerryfletcher@cock.email>
---
 api/utils.py                  | 2 +-
 tests/robots/1/signed_message | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api/utils.py b/api/utils.py
index 10f938c1..83dfb25d 100644
--- a/api/utils.py
+++ b/api/utils.py
@@ -447,7 +447,7 @@ def verify_signed_message(pub_key, signed_message):
     # verify the signed message
     verified = gpg.verify(signed_message)
 
-    if verified.fingerprint == import_result.fingerprints[0]:
+    if verified.valid and verified.fingerprint == import_result.fingerprints[0]:
         header = "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n"
         footer = "-----BEGIN PGP SIGNATURE-----"
         cleartext_message = signed_message.split(header)[1].split(footer)[0].strip()
diff --git a/tests/robots/1/signed_message b/tests/robots/1/signed_message
index 6be10ef6..2f88965f 100644
--- a/tests/robots/1/signed_message
+++ b/tests/robots/1/signed_message
@@ -4,8 +4,8 @@ Hash: SHA512
 bcrt1qrrvml8tr4lkwlqpg9g394tye6s5950qf9tj9e9
 -----BEGIN PGP SIGNATURE-----
 
-iHUEARYIAB0WIQQyIVYjhac1qLz7sLwuNFtLSY2XJAUCZVUUTQAKCRAuNFtLSY2X
-JA4zAP9PW71ZvQglGnexa9LYryVbnI0w3WnWXYaOmowy/aMM5wD/a2xZNk95DiDq
-s8PnKT41yS+QIBrn7+iZ2DqlCjKdNgc=
-=NOcM
+iHUEARYKAB0WIQQyIVYjhac1qLz7sLwuNFtLSY2XJAUCZnxJEwAKCRAuNFtLSY2X
+JEEvAQCh/RPf17JvbodoTbmnyrxWFAeydn3aNefnCVtPrL81XQD/YPMEfIM4f2Tf
+3uPqTn0vtXUKtsYtZvxRi8STL7nXKws=
+=Nlv0
 -----END PGP SIGNATURE-----