address review: reject key extraction when GPG verification fails

2026-05-07 08:54:23 +00:00 · 2026-04-24 15:33:13 -07:00
parent f0ed8e34d3
commit f32194a58b
1 changed files with 12 additions and 5 deletions
--- a/RELEASING/verify_release.py
+++ b/RELEASING/verify_release.py
@@ -100,6 +100,18 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
        )
        output = result.stderr.decode()

+    # If the signature was not actually verified, do not trust the key ID or
+    # email pulled from signature metadata — returning them would let the
+    # caller report the release as "verified" when GPG never validated it.
+    if result.returncode != 0 or "Good signature" not in output:
+        print("Warning: GPG could not verify the signature.")
+        if "No public key" in output:
+            print(
+                "Hint: public key is not in your keyring. Import it with:\n"
+                f"  curl -s {KEYS_URL} | gpg --import"
+            )
+        return None, None
+
    rsa_key = re.search(r"RSA key ([0-9A-F]+)", output)
    eddsa_key = re.search(r"EDDSA key ([0-9A-F]+)", output)

@@ -129,11 +141,6 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
        print(f"Email found: {email_result}")
    else:
        print("Warning: No email address found in GPG verification output.")
-        if "No public key" in output:
-            print(
-                "Hint: public key is not in your keyring. Import it with:\n"
-                f"  curl -s {KEYS_URL} | gpg --import"
-            )

    return key_result, email_result