Skip to content

Validate the security.txt file even when the GPG signature is damaged#45

Merged
spaze merged 1 commit intomainfrom
spaze/signature-verify-fail-still-validate
Dec 6, 2025
Merged

Validate the security.txt file even when the GPG signature is damaged#45
spaze merged 1 commit intomainfrom
spaze/signature-verify-fail-still-validate

Conversation

@spaze
Copy link
Owner

@spaze spaze commented Dec 6, 2025

Close #43

@spaze spaze self-assigned this Dec 6, 2025
Copilot AI review requested due to automatic review settings December 6, 2025 17:04
Copilot AI reviewed Dec 6, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses issue #43 by converting SecurityTxtCannotVerifySignatureException from a hard error that stops validation into a warning that allows validation to continue. This enables the security.txt file to be validated even when the GPG signature is damaged or cannot be verified.

Key changes:

  • New SecurityTxtSignatureCannotVerify violation class to represent damaged signatures as warnings
  • Exception message format simplified from labeled format to comma-separated format
  • Exception handling updated to catch and convert signature verification failures to warnings

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/Violations/SecurityTxtSignatureCannotVerify.php New violation class for damaged signatures that cannot be verified
src/Signature/SecurityTxtSignature.php Catches SecurityTxtCannotVerifySignatureException and converts to warning; removes exception from PHPDoc
src/Signature/Exceptions/SecurityTxtSignatureErrorInfoException.php Refactors error message formatting to use comma-separated format; adds public getErrorInfoMessage() method
src/Parser/SecurityTxtParser.php Removes SecurityTxtCannotVerifySignatureException from PHPDoc
src/Check/SecurityTxtCheckHost.php Removes SecurityTxtCannotVerifySignatureException from PHPDoc
src/Check/SecurityTxtCheckHostCli.php Removes SecurityTxtCannotVerifySignatureException from catch block
tests/Signature/SecurityTxtSignatureTest.phpt Updates tests to expect warning instead of exception; updates error message format expectations
tests/Signature/Providers/SecurityTxtSignatureGnuPgProviderTest.phpt Updates error message format expectations

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@spaze spaze force-pushed the spaze/signature-verify-fail-still-validate branch from 94d16d3 to b2da1e5 Compare December 6, 2025 17:33
Copilot AI review requested due to automatic review settings December 6, 2025 17:39
@spaze spaze force-pushed the spaze/signature-verify-fail-still-validate branch from b2da1e5 to 917e57b Compare December 6, 2025 17:39
Copilot AI reviewed Dec 6, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@spaze spaze merged commit 46e57c5 into main Dec 6, 2025
22 checks passed
@spaze spaze deleted the spaze/signature-verify-fail-still-validate branch December 6, 2025 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@spaze spaze

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

When GPG validation fails, the rest of the file is not validated

2 participants

@spaze