Validate the security.txt file even when the GPG signature is damaged

Close #43

Author: spaze

src/Check/SecurityTxtCheckHost.php

@@ -17,7 +17,6 @@
 use Spaze\SecurityTxt\Fetcher\SecurityTxtFetcher;
 use Spaze\SecurityTxt\Parser\SecurityTxtParser;
 use Spaze\SecurityTxt\Parser\SecurityTxtUrlParser;
-use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtCannotVerifySignatureException;
 use Spaze\SecurityTxt\Violations\SecurityTxtSpecViolation;
 
 final class SecurityTxtCheckHost
@@ -86,7 +85,6 @@ public function __construct(
 	 * @throws SecurityTxtOnlyIpv6HostButIpv6DisabledException
 	 * @throws SecurityTxtHostIpAddressInvalidTypeException
 	 * @throws SecurityTxtHostIpAddressNotFoundException
-	 * @throws SecurityTxtCannotVerifySignatureException
 	 */
 	public function check(string $url, ?int $expiresWarningThreshold = null, bool $strictMode = false, bool $requireTopLevelLocation = false, bool $noIpv6 = false): SecurityTxtCheckHostResult
 	{

src/Check/SecurityTxtCheckHostCli.php

@@ -5,7 +5,6 @@
 
 use DateTimeImmutable;
 use Spaze\SecurityTxt\Fetcher\Exceptions\SecurityTxtFetcherException;
-use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtCannotVerifySignatureException;
 
 final readonly class SecurityTxtCheckHostCli
 {
@@ -120,7 +119,7 @@ function (string $keyFingerprint, DateTimeImmutable $signatureDate): void {
 			} else {
 				$this->exit(CheckExitStatus::Ok);
 			}
-		} catch (SecurityTxtFetcherException | SecurityTxtCannotVerifySignatureException $e) {
+		} catch (SecurityTxtFetcherException $e) {
 			$this->consolePrinter->error($e->getMessage());
 			$this->exit(CheckExitStatus::FileError);
 		}

src/Parser/SecurityTxtParser.php

@@ -23,7 +23,6 @@
 use Spaze\SecurityTxt\Parser\FieldProcessors\PreferredLanguagesSetFieldValue;
 use Spaze\SecurityTxt\SecurityTxt;
 use Spaze\SecurityTxt\SecurityTxtValidationLevel;
-use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtCannotVerifySignatureException;
 use Spaze\SecurityTxt\Signature\SecurityTxtSignature;
 use Spaze\SecurityTxt\Validator\SecurityTxtValidator;
 use Spaze\SecurityTxt\Violations\SecurityTxtLineNoEol;
@@ -109,9 +108,6 @@ private function processField(int $lineNumber, string $value, SecurityTxtField $
 	}
 
 
-	/**
-	 * @throws SecurityTxtCannotVerifySignatureException
-	 */
 	public function parseString(string $contents, ?string $fileLocation = null, ?int $expiresWarningThreshold = null, bool $strictMode = false): SecurityTxtParseStringResult
 	{
 		$this->expiresWarningThreshold = $expiresWarningThreshold;
@@ -168,9 +164,6 @@ public function parseString(string $contents, ?string $fileLocation = null, ?int
 	}
 
 
-	/**
-	 * @throws SecurityTxtCannotVerifySignatureException
-	 */
 	public function parseFetchResult(SecurityTxtFetchResult $fetchResult, ?int $expiresWarningThreshold = null, bool $strictMode = false): SecurityTxtParseHostResult
 	{
 		$parseResult = $this->parseString($fetchResult->getContents(), $fetchResult->getFinalUrl(), $expiresWarningThreshold, $strictMode);
@@ -184,7 +177,6 @@ public function parseFetchResult(SecurityTxtFetchResult $fetchResult, ?int $expi
 
 	/**
 	 * @param int<1, max> $lineNumber
-	 * @throws SecurityTxtCannotVerifySignatureException
 	 */
 	private function checkSignature(int $lineNumber, string $line, string $contents, SecurityTxt $securityTxt): SecurityTxt
 	{

src/Signature/Exceptions/SecurityTxtSignatureErrorInfoException.php

@@ -9,17 +9,24 @@
 abstract class SecurityTxtSignatureErrorInfoException extends SecurityTxtSignatureException
 {
 
-	public function __construct(string $message, SecurityTxtSignatureErrorInfo $errorInfo, ?Throwable $previous = null)
+	public function __construct(
+		string $message,
+		private readonly SecurityTxtSignatureErrorInfo $errorInfo,
+		?Throwable $previous = null,
+	) {
+		parent::__construct("{$message}: " . $this->getErrorInfoMessage(), $this->errorInfo->getCode() ?? 0, previous: $previous);
+	}
+
+
+	public function getErrorInfoMessage(): string
 	{
-		$message = sprintf(
-			'%s: %s; code: %s, source: %s, library message: %s',
-			$message,
-			$errorInfo->getMessage() === false ? '<false>' : ($errorInfo->getMessage() === null ? '<null>' : $errorInfo->getMessage()),
-			$errorInfo->getCode() ?? '<null>',
-			$errorInfo->getSource() ?? '<null>',
-			$errorInfo->getLibraryMessage() ?? '<null>',
+		return sprintf(
+			'%s, %s, %s, %s',
+			$this->errorInfo->getMessage() === false ? '<false>' : ($this->errorInfo->getMessage() === null ? '<null>' : $this->errorInfo->getMessage()),
+			$this->errorInfo->getCode() ?? '<null>',
+			$this->errorInfo->getSource() ?? '<null>',
+			$this->errorInfo->getLibraryMessage() ?? '<null>',
 		);
-		parent::__construct($message, $errorInfo->getCode() ?? 0, previous: $previous);
 	}
 
 }

src/Signature/SecurityTxtSignature.php

@@ -15,6 +15,7 @@
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnknownSigningKeyException;
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnusableSigningKeyException;
 use Spaze\SecurityTxt\Signature\Providers\SecurityTxtSignatureProvider;
+use Spaze\SecurityTxt\Violations\SecurityTxtSignatureCannotVerify;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureExtensionNotLoaded;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureInvalid;
 
@@ -37,14 +38,15 @@ public function __construct(private SecurityTxtSignatureProvider $signatureProvi
 	/**
 	 * @throws SecurityTxtError
 	 * @throws SecurityTxtWarning
-	 * @throws SecurityTxtCannotVerifySignatureException
 	 */
 	public function verify(string $contents): SecurityTxtSignatureVerifyResult
 	{
 		try {
 			$signature = $this->signatureProvider->verify($contents);
 		} catch (SecurityTxtCannotCreateSignatureExtensionNotLoadedException $e) {
 			throw new SecurityTxtWarning(new SecurityTxtSignatureExtensionNotLoaded(), $e);
+		} catch (SecurityTxtCannotVerifySignatureException $e) {
+			throw new SecurityTxtWarning(new SecurityTxtSignatureCannotVerify($e->getErrorInfoMessage()), $e);
 		}
 
 		if (!$this->isSignatureKindaOkay($signature->getSummary())) {

src/Violations/SecurityTxtSignatureCannotVerify.php

@@ -0,0 +1,23 @@
+<?php
+declare(strict_types = 1);
+
+namespace Spaze\SecurityTxt\Violations;
+
+final class SecurityTxtSignatureCannotVerify extends SecurityTxtSpecViolation
+{
+
+	public function __construct(string $message)
+	{
+		parent::__construct(
+			func_get_args(),
+			"The file is digitally signed using an OpenPGP cleartext signature but the signature is damaged and cannot be verified ({$message})",
+			[],
+			'draft-foudil-securitytxt-01',
+			null,
+			'Sign the file again',
+			[],
+			'2.3',
+		);
+	}
+
+}

tests/Signature/Providers/SecurityTxtSignatureGnuPgProviderTest.phpt

@@ -62,7 +62,7 @@ final class SecurityTxtSignatureGnuPgProviderTest extends TestCase
 			$gnuPg->verify('fifteen hundred and seven systems in one day');
 		}, SecurityTxtCannotVerifySignatureException::class);
 		assert($e instanceof SecurityTxtCannotVerifySignatureException);
-		Assert::same('Cannot verify signature: verify failed; code: 117440570, source: GPGME, library message: No data', $e->getMessage());
+		Assert::same('Cannot verify signature: verify failed, 117440570, GPGME, No data', $e->getMessage());
 		$errorInfo = $gnuPg->getErrorInfo();
 		Assert::same('verify failed', $errorInfo->getMessage());
 	}

tests/Signature/SecurityTxtSignatureTest.phpt

@@ -20,6 +20,7 @@ use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtSigningKeyNoPassphraseSetE
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnknownSigningKeyException;
 use Spaze\SecurityTxt\Signature\Exceptions\SecurityTxtUnusableSigningKeyException;
 use Spaze\SecurityTxt\Signature\Providers\SecurityTxtSignatureProvider;
+use Spaze\SecurityTxt\Violations\SecurityTxtSignatureCannotVerify;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureExtensionNotLoaded;
 use Spaze\SecurityTxt\Violations\SecurityTxtSignatureInvalid;
 use Tester\Assert;
@@ -54,22 +55,22 @@ final class SecurityTxtSignatureTest extends TestCase
 		$signature = new SecurityTxtSignature($this->getSignatureProvider(addSignKeyReturnValue: false, errorInfo: new SecurityTxtSignatureErrorInfo(false, 31336, 'unusable key source', 'unusable key lib error')));
 		Assert::throws(function () use ($signature): void {
 			$signature->sign('foo', 'unusable sign key', 'irrelevant');
-		}, SecurityTxtUnusableSigningKeyException::class, 'Unusable signing key unusable sign key: <false>; code: 31336, source: unusable key source, library message: unusable key lib error', 31336);
+		}, SecurityTxtUnusableSigningKeyException::class, 'Unusable signing key unusable sign key: <false>, 31336, unusable key source, unusable key lib error', 31336);
 
 		$signature = new SecurityTxtSignature($this->getSignatureProvider(addSignKeyReturnValue: false, errorInfo: new SecurityTxtSignatureErrorInfo('unusable key', 31336, 'unusable key source', 'unusable key lib error')));
 		Assert::throws(function () use ($signature): void {
 			$signature->sign('foo', 'unusable sign key', 'irrelevant');
-		}, SecurityTxtUnusableSigningKeyException::class, 'Unusable signing key unusable sign key: unusable key; code: 31336, source: unusable key source, library message: unusable key lib error', 31336);
+		}, SecurityTxtUnusableSigningKeyException::class, 'Unusable signing key unusable sign key: unusable key, 31336, unusable key source, unusable key lib error', 31336);
 
 		$signature = new SecurityTxtSignature($this->getSignatureProvider(addSignKeyReturnValue: true, errorInfo: new SecurityTxtSignatureErrorInfo(false, 1, 'sign source', 'sign lib error'), signReturnValue: false));
 		Assert::throws(function () use ($signature): void {
 			$signature->sign('foo', 'sign key 1', 'passphrase');
-		}, SecurityTxtCannotCreateSignatureException::class, 'Cannot create a signature using key sign key 1: <false>; code: 1, source: sign source, library message: sign lib error');
+		}, SecurityTxtCannotCreateSignatureException::class, 'Cannot create a signature using key sign key 1: <false>, 1, sign source, sign lib error');
 
 		$signature = new SecurityTxtSignature($this->getSignatureProvider(addSignKeyReturnValue: true, errorInfo: new SecurityTxtSignatureErrorInfo('sign error', 1, 'sign source', 'sign lib error'), signReturnValue: false));
 		Assert::throws(function () use ($signature): void {
 			$signature->sign('foo', 'sign key 1', 'passphrase');
-		}, SecurityTxtCannotCreateSignatureException::class, 'Cannot create a signature using key sign key 1: sign error; code: 1, source: sign source, library message: sign lib error');
+		}, SecurityTxtCannotCreateSignatureException::class, 'Cannot create a signature using key sign key 1: sign error, 1, sign source, sign lib error');
 
 		$signature = new SecurityTxtSignature($this->getSignatureProvider(addSignKeyReturnValue: true, signReturnValue: 'signed'));
 		Assert::same('signed', $signature->sign('foo', 'multiple add', 'passphrase'));
@@ -124,9 +125,10 @@ final class SecurityTxtSignatureTest extends TestCase
 		$signature = new SecurityTxtSignature($this->getSignatureProvider(verifyThrows: new SecurityTxtCannotVerifySignatureException(null, new SecurityTxtSignatureErrorInfo('msg', 1336, null, null))));
 		$e = Assert::throws(function () use ($signature): void {
 			$signature->verify('gnupg::verify returns invalid array');
-		}, SecurityTxtCannotVerifySignatureException::class);
-		assert($e instanceof SecurityTxtCannotVerifySignatureException);
-		Assert::same('Cannot verify signature: msg; code: 1336, source: <null>, library message: <null>', $e->getMessage());
+		}, SecurityTxtWarning::class);
+		assert($e instanceof SecurityTxtWarning);
+		Assert::type(SecurityTxtSignatureCannotVerify::class, $e->getViolation());
+		Assert::same('The file is digitally signed using an OpenPGP cleartext signature but the signature is damaged and cannot be verified (msg, 1336, <null>, <null>)', $e->getMessage());
 	}