Add signature and file parameters to verify for detached signatures verification

[wiktor-k]

This PR adds two parameters to verify that can be used interchangeably:

• signature - for holding a detached signature, when this is given the bytes parameter is considered raw data for verification (instead of an OpenPGP message).
• file - used instead of bytes for passing file name. This is especially useful for large files that would have to be loaded in memory when using bytes.

Fixes: #42

[wiktor-k]

@jinnatar I wonder if it'd be possible for you to test this PR with your code? I'd rather wait for your "ack" that this is exactly what you need before merging 😅

I'm happy to provide build instructions if necessary.

[jinnatar]

There's probably something I'm slightly misunderstanding and is not clarified by the updated examples. I can't seem to be able to pass the output of Sig.from_file as the argument signature because:

TypeError: argument 'signature': 'Sig' object cannot be converted to 'PyBytes'

Full sample code:
(edit: for anyone stumbling upon this later from searches, this is a simplified repro of what I'm actually trying to do with PyInfra, but that takes setup so this is the dumb simplified version)

import os

import requests
from pysequoia import Cert, Sig, verify

base = "sigtest-artefacts/"
os.makedirs(base, exist_ok=True)

artefacts = [
    "https://openbao.org/assets/openbao-gpg-pub-20240618.asc",
    "https://github.com/openbao/openbao/releases/download/v2.2.1/bao_2.2.1_linux_amd64.deb.gpgsig",
    "https://github.com/openbao/openbao/releases/download/v2.2.1/bao_2.2.1_linux_amd64.deb",
]

for artefact in artefacts:
    filename = artefact.split("/")[-1]
    if not os.path.isfile(base + filename):
        with open(base + filename, "wb") as f, requests.get(artefact) as response:
            f.write(response.content)


def get_certs(key_ids):
    # key_ids is an array of required signing keys
    print(f"For verification, we need these keys: {key_ids}")
    return [cert]


cert = Cert.from_file(base + "openbao-gpg-pub-20240618.asc")
signature = Sig.from_file(base + "bao_2.2.1_linux_amd64.deb.gpgsig")

result = verify(
    file=base + "bao_2.2.1_linux_amd64.deb", store=get_certs, signature=signature
)
print(result.valid_sigs)

[wiktor-k]

Oh, good point 😅 the existing code would take just a byte array but using Sig would be better. I'll adjust it (but it may take a while due to holiday season here).

Thanks for testing. This is highly valuable!

[wiktor-k]

Okay, I've adjusted the code to take a Sig object. I've used the code example that you posted for verification (and fixed a couple of typos, see editing history). It should work now 🤞

If you could verify this again it'd be very happy 🙏

[jinnatar]

Yup, that's now working in a way that is logical at least to me, and allows me to implement what I was looking for!

Thanks!

[wiktor-k]

That's great! I'll let it sit for a couple of days and release a new version. Thanks for help!