Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix openpgp.MessageDetails footguns #92

Open
emersion opened this issue Dec 4, 2021 · 1 comment
Open

Fix openpgp.MessageDetails footguns #92

emersion opened this issue Dec 4, 2021 · 1 comment

Comments

@emersion
Copy link

emersion commented Dec 4, 2021

openpgp.MessageDetails is very easy to mis-use.

Ref emersion/go-pgpmail#5
@twiss
Copy link
Member

twiss commented Dec 23, 2021

Hey 👋 Yeah, I agree. One thing we could do, in a relatively backward-compatible way, is add a new IsVerified property, which would be set to true after the body has been read and the signature has been successfully verified. That would offer a more explicit and indeed less error-prone way to check signature verification. Other suggestions and/or a PR would be welcome 😊

emersion added a commit to emersion/go-crypto that referenced this issue Jan 7, 2022
@emersion
Populate MessageDetails.SignatureError when unverified
736fcae 
It's invalid for library users to look at MessageDetails.SignatureError
before the OpenPGP message is fully read. Populate it with an error
(cleared once the message is fully read).

This is technically a breaking change, but code looking at
SignatureError before the full message is read is broken anyways.

References: ProtonMail#92
@emersion emersion mentioned this issue Jan 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emersion @twiss