openpgp: prevent panic for missing self-signature #99
Conversation
|
Hey 👋 Thanks for catching this! I agree this is an issue, that was introduced by not considering revocation signatures as self-signatures anymore (and storing them separately), but still accepting User IDs with only a revocation signature; breaking the assumption that all Identities have a SelfSignature. However, I think there are a few other places that have this assumption - for example, in |
|
Thanks for the feedback! I did not check this, I was in fact mostly trying to mitigate an issue I was encountering in the wild, I wasn't aware of the background. I can look into this and put a similar check in place in other places where I find this. |
|
👍 Thanks! That would be great 🙏 |
Since revocation signatures are not considered self-signatures anymore, but identities can potentially only have a revocation signature, there can be identities without self-signature (i.e. `id.SelfSignature == nil`). Hence, guard against null pointer dereference in the various places where the self-signature is accessed.
Co-authored-by: Conrad Hoffmann <1226676+bitfehler@users.noreply.github.com>
It contains a fix [1] that will prevent a panic that we observed happening in production. [1] ProtonMail/go-crypto#99
There can be public keys where an identity has no self-signature. Since
the order of identities as tested against
shouldPreferIdentityisunstable (due to being based on a map iteration), such a situation leads
to a panic in a certain percentage of runs.
Avoid the panic by preferring the potential new identity. This can still
lead to unusable results, but they will returned as a proper error,
allowing an application to handle it.