From f32194a58bb0e9b64ca0babbb371fd453caa37b4 Mon Sep 17 00:00:00 2001 From: Evan Rusackas Date: Fri, 24 Apr 2026 15:33:13 -0700 Subject: [PATCH] address review: reject key extraction when GPG verification fails --- RELEASING/verify_release.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/RELEASING/verify_release.py b/RELEASING/verify_release.py index 9e0347bc146..e69f5c1ddf2 100755 --- a/RELEASING/verify_release.py +++ b/RELEASING/verify_release.py @@ -100,6 +100,18 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]: ) output = result.stderr.decode() + # If the signature was not actually verified, do not trust the key ID or + # email pulled from signature metadata — returning them would let the + # caller report the release as "verified" when GPG never validated it. + if result.returncode != 0 or "Good signature" not in output: + print("Warning: GPG could not verify the signature.") + if "No public key" in output: + print( + "Hint: public key is not in your keyring. Import it with:\n" + f" curl -s {KEYS_URL} | gpg --import" + ) + return None, None + rsa_key = re.search(r"RSA key ([0-9A-F]+)", output) eddsa_key = re.search(r"EDDSA key ([0-9A-F]+)", output) @@ -129,11 +141,6 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]: print(f"Email found: {email_result}") else: print("Warning: No email address found in GPG verification output.") - if "No public key" in output: - print( - "Hint: public key is not in your keyring. Import it with:\n" - f" curl -s {KEYS_URL} | gpg --import" - ) return key_result, email_result