Validate the security.txt file even when the GPG signature is damaged (#45)

Close #43

Author: spaze

psalm.xml

@@ -32,6 +32,7 @@
 				<referencedMethod name="/.*Test::test.*/" />
 				<referencedMethod name="/.*Test::get.*/" /> <!-- Test data providers -->
 				<referencedMethod name="/Spaze\\SecurityTxt\\Check\\SecurityTxtCheckHostResult::get.*/" />
+				<referencedMethod name="/Spaze\\SecurityTxt\\Signature\\SecurityTxtSignatureErrorInfo::get.*/" />
 				<referencedMethod name="/Spaze\\SecurityTxt\\Violations\\.*::__construct/" />
 				<referencedMethod name="/Spaze\\SecurityTxt\\Violations\\.*::get.*/" />
 				<referencedMethod name="/Spaze\\SecurityTxt\\Parser\\SecurityTxtParseResult::hasErrors/" />

src/Check/SecurityTxtCheckHost.php

@@ -17,7 +17,6 @@
 use Spaze\SecurityTxt\Fetcher\SecurityTxtFetcher;
 use Spaze\SecurityTxt\Parser\SecurityTxtParser;
 use Spaze\SecurityTxt\Parser\SecurityTxtUrlParser;
-use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtCannotVerifySignatureException;
 use Spaze\SecurityTxt\Violations\SecurityTxtSpecViolation;
 
 final class SecurityTxtCheckHost
@@ -86,7 +85,6 @@ public function __construct(
 	 * @throws SecurityTxtOnlyIpv6HostButIpv6DisabledException
 	 * @throws SecurityTxtHostIpAddressInvalidTypeException
 	 * @throws SecurityTxtHostIpAddressNotFoundException
-	 * @throws SecurityTxtCannotVerifySignatureException
 	 */
 	public function check(string $url, ?int $expiresWarningThreshold = null, bool $strictMode = false, bool $requireTopLevelLocation = false, bool $noIpv6 = false): SecurityTxtCheckHostResult
 	{

src/Check/SecurityTxtCheckHostCli.php

@@ -5,7 +5,6 @@
 
 use DateTimeImmutable;
 use Spaze\SecurityTxt\Fetcher\Exceptions\SecurityTxtFetcherException;
-use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtCannotVerifySignatureException;
 
 final readonly class SecurityTxtCheckHostCli
 {
@@ -120,7 +119,7 @@ function (string $keyFingerprint, DateTimeImmutable $signatureDate): void {
 			} else {
 				$this->exit(CheckExitStatus::Ok);
 			}
-		} catch (SecurityTxtFetcherException | SecurityTxtCannotVerifySignatureException $e) {
+		} catch (SecurityTxtFetcherException $e) {
 			$this->consolePrinter->error($e->getMessage());
 			$this->exit(CheckExitStatus::FileError);
 		}

src/Parser/SecurityTxtParser.php

@@ -23,7 +23,6 @@
 use Spaze\SecurityTxt\Parser\FieldProcessors\PreferredLanguagesSetFieldValue;
 use Spaze\SecurityTxt\SecurityTxt;
 use Spaze\SecurityTxt\SecurityTxtValidationLevel;
-use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtCannotVerifySignatureException;
 use Spaze\SecurityTxt\Signature\SecurityTxtSignature;
 use Spaze\SecurityTxt\Validator\SecurityTxtValidator;
 use Spaze\SecurityTxt\Violations\SecurityTxtLineNoEol;
@@ -109,9 +108,6 @@ private function processField(int $lineNumber, string $value, SecurityTxtField $
 	}
 
 
-	/**
-	 * @throws SecurityTxtCannotVerifySignatureException
-	 */
 	public function parseString(string $contents, ?string $fileLocation = null, ?int $expiresWarningThreshold = null, bool $strictMode = false): SecurityTxtParseStringResult
 	{
 		$this->expiresWarningThreshold = $expiresWarningThreshold;
@@ -168,9 +164,6 @@ public function parseString(string $contents, ?string $fileLocation = null, ?int
 	}
 
 
-	/**
-	 * @throws SecurityTxtCannotVerifySignatureException
-	 */
 	public function parseFetchResult(SecurityTxtFetchResult $fetchResult, ?int $expiresWarningThreshold = null, bool $strictMode = false): SecurityTxtParseHostResult
 	{
 		$parseResult = $this->parseString($fetchResult->getContents(), $fetchResult->getFinalUrl(), $expiresWarningThreshold, $strictMode);
@@ -184,7 +177,6 @@ public function parseFetchResult(SecurityTxtFetchResult $fetchResult, ?int $expi
 
 	/**
 	 * @param int<1, max> $lineNumber
-	 * @throws SecurityTxtCannotVerifySignatureException
 	 */
 	private function checkSignature(int $lineNumber, string $line, string $contents, SecurityTxt $securityTxt): SecurityTxt
 	{

src/Signature/Exceptions/SecurityTxtSignatureErrorInfoException.php

@@ -9,17 +9,26 @@
 abstract class SecurityTxtSignatureErrorInfoException extends SecurityTxtSignatureException
 {
 
-	public function __construct(string $message, SecurityTxtSignatureErrorInfo $errorInfo, ?Throwable $previous = null)
-	{
+	public function __construct(
+		string $message,
+		private readonly SecurityTxtSignatureErrorInfo $errorInfo,
+		?Throwable $previous = null,
+	) {
 		$message = sprintf(
 			'%s: %s; code: %s, source: %s, library message: %s',
 			$message,
-			$errorInfo->getMessage() === false ? '<false>' : ($errorInfo->getMessage() === null ? '<null>' : $errorInfo->getMessage()),
-			$errorInfo->getCode() ?? '<null>',
-			$errorInfo->getSource() ?? '<null>',
-			$errorInfo->getLibraryMessage() ?? '<null>',
+			$errorInfo->getMessageAsString(),
+			$errorInfo->getCodeAsString(),
+			$errorInfo->getSourceAsString(),
+			$errorInfo->getLibraryMessageAsString(),
 		);
 		parent::__construct($message, $errorInfo->getCode() ?? 0, previous: $previous);
 	}
 
+
+	public function getErrorInfo(): SecurityTxtSignatureErrorInfo
+	{
+		return $this->errorInfo;
+	}
+
 }

src/Signature/SecurityTxtSignature.php

@@ -15,6 +15,7 @@
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnknownSigningKeyException;
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnusableSigningKeyException;
 use Spaze\SecurityTxt\Signature\Providers\SecurityTxtSignatureProvider;
+use Spaze\SecurityTxt\Violations\SecurityTxtSignatureCannotVerify;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureExtensionNotLoaded;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureInvalid;
 
@@ -37,14 +38,15 @@ public function __construct(private SecurityTxtSignatureProvider $signatureProvi
 	/**
 	 * @throws SecurityTxtError
 	 * @throws SecurityTxtWarning
-	 * @throws SecurityTxtCannotVerifySignatureException
 	 */
 	public function verify(string $contents): SecurityTxtSignatureVerifyResult
 	{
 		try {
 			$signature = $this->signatureProvider->verify($contents);
 		} catch (SecurityTxtCannotCreateSignatureExtensionNotLoadedException $e) {
 			throw new SecurityTxtWarning(new SecurityTxtSignatureExtensionNotLoaded(), $e);
+		} catch (SecurityTxtCannotVerifySignatureException $e) {
+			throw new SecurityTxtWarning(new SecurityTxtSignatureCannotVerify($e->getErrorInfo()), $e);
 		}
 
 		if (!$this->isSignatureKindaOkay($signature->getSummary())) {

src/Signature/SecurityTxtSignatureErrorInfo.php

@@ -21,21 +21,45 @@ public function getMessage(): string|false|null
 	}
 
 
+	public function getMessageAsString(): string
+	{
+		return $this->message === false ? '<false>' : ($this->message === null ? '<null>' : $this->message);
+	}
+
+
 	public function getCode(): ?int
 	{
 		return $this->code;
 	}
 
 
+	public function getCodeAsString(): string
+	{
+		return $this->code !== null ? (string)$this->code : '<null>';
+	}
+
+
 	public function getSource(): ?string
 	{
 		return $this->source;
 	}
 
 
+	public function getSourceAsString(): string
+	{
+		return $this->source ?? '<null>';
+	}
+
+
 	public function getLibraryMessage(): ?string
 	{
 		return $this->libraryMessage;
 	}
 
+
+	public function getLibraryMessageAsString(): string
+	{
+		return $this->libraryMessage ?? '<null>';
+	}
+
 }

src/Violations/SecurityTxtSignatureCannotVerify.php

@@ -0,0 +1,25 @@
+<?php
+declare(strict_types = 1);
+
+namespace Spaze\SecurityTxt\Violations;
+
+use Spaze\SecurityTxt\Signature\SecurityTxtSignatureErrorInfo;
+
+final class SecurityTxtSignatureCannotVerify extends SecurityTxtSpecViolation
+{
+
+	public function __construct(SecurityTxtSignatureErrorInfo $errorInfo)
+	{
+		parent::__construct(
+			func_get_args(),
+			"The file is digitally signed using an OpenPGP cleartext signature but the signature is damaged and cannot be verified (%s, %s, %s, %s)",
+			[$errorInfo->getMessageAsString(), $errorInfo->getCodeAsString(), $errorInfo->getSourceAsString(), $errorInfo->getLibraryMessageAsString()],
+			'draft-foudil-securitytxt-01',
+			null,
+			'Sign the file again',
+			[],
+			'2.3',
+		);
+	}
+
+}

tests/Signature/SecurityTxtSignatureTest.phpt

@@ -20,6 +20,7 @@ use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtSigningKeyNoPassphraseSetE
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnknownSigningKeyException;
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnusableSigningKeyException;
 use Spaze\SecurityTxt\Signature\Providers\SecurityTxtSignatureProvider;
+use Spaze\SecurityTxt\Violations\SecurityTxtSignatureCannotVerify;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureExtensionNotLoaded;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureInvalid;
 use Tester\Assert;
@@ -124,9 +125,10 @@ final class SecurityTxtSignatureTest extends TestCase
 		$signature = new SecurityTxtSignature($this->getSignatureProvider(verifyThrows: new SecurityTxtCannotVerifySignatureException(null, new SecurityTxtSignatureErrorInfo('msg', 1336, null, null))));
 		$e = Assert::throws(function () use ($signature): void {
 			$signature->verify('gnupg::verify returns invalid array');
-		}, SecurityTxtCannotVerifySignatureException::class);
-		assert($e instanceof SecurityTxtCannotVerifySignatureException);
-		Assert::same('Cannot verify signature: msg; code: 1336, source: <null>, library message: <null>', $e->getMessage());
+		}, SecurityTxtWarning::class);
+		assert($e instanceof SecurityTxtWarning);
+		Assert::type(SecurityTxtSignatureCannotVerify::class, $e->getViolation());
+		Assert::same('The file is digitally signed using an OpenPGP cleartext signature but the signature is damaged and cannot be verified (msg, 1336, <null>, <null>)', $e->getMessage());
 	}