Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Populate MessageDetails.SignatureError when unverified #94

Closed
wants to merge 1 commit into from
Closed

Populate MessageDetails.SignatureError when unverified #94

wants to merge 1 commit into from

Conversation

emersion
Copy link

@emersion emersion commented Jan 7, 2022

It's invalid for library users to look at MessageDetails.SignatureError
before the OpenPGP message is fully read. Populate it with an error
(cleared once the message is fully read).

This is technically a breaking change, but code looking at
SignatureError before the full message is read is broken anyways.

References: #92

@emersion
Populate MessageDetails.SignatureError when unverified
736fcae 
It's invalid for library users to look at MessageDetails.SignatureError
before the OpenPGP message is fully read. Populate it with an error
(cleared once the message is fully read).

This is technically a breaking change, but code looking at
SignatureError before the full message is read is broken anyways.

References: ProtonMail#92
@emersion
Copy link
Author

Hi @twiss, did you have the chance to have a look at this patch?

@twiss
Copy link
Member

twiss commented Jan 17, 2022

Hi @emersion, sorry for the delay, and thanks for the PR!

The patch looks reasonable, the only thing I dislike about it is that it sets an error when the message is signed and unverified, but not when the message is unsigned (and thus also unverified). The former is not necessarily worse than the latter, so that seems non-ideal to me.

My proposal in #92 to add an IsVerified property would be symmetric across these two scenarios, but another way to do this would be to also add a "not signed" error, for example, so that IsVerified would be equivalent to SignatureError == nil. However, IsVerified seems simpler to me (compared to setting an error on initialization), also because it defaults to false (which is what we want) without any extra work.

@emersion
Copy link
Author

I don't like IsVerified because this is yet another bit in MessageDetails which users can forget to check and/or misunderstand.

@twiss
Copy link
Member

twiss commented Feb 8, 2022

Hey 👋 Sorry for the delay.
It shouldn't be "yet another bit to check", it should be the only bit to check, if what you care about is whether a signature was verified 😅 I.e. md.IsVerified would replace md.SignedBy != nil && md.SignatureError != nil (in your proposal) which in turn replaces md.SignedBy != nil && md.SignatureError != nil && (message has been read).
In my opinion, having an IsVerified property is also clearer than having an API contract about which properties to check in order to make sure that the message has been verified, if that makes sense.

@emersion
Copy link
Author

emersion commented Apr 5, 2022

In short:

  • "We have too many confusing fields in this struct, users can't easily tell which one to use."
  • "Let's add a new one to fix that!"

Which sounds not too great from a security PoV. Anyways, I'm no longer interested in fixing this library.

@emersion emersion closed this Apr 5, 2022
@emersion emersion deleted the unread-msg-sig-error branch April 5, 2022 06:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@emersion @twiss