Report different key validation failure cases to user in securedrop-a…

…dmin.
freedomofpress · Sep 11, 2023 · a5b9edf · a5b9edf
1 parent 941d2e7
commit a5b9edf
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/admin/securedrop_admin/__init__.py b/admin/securedrop_admin/__init__.py
@@ -599,11 +599,23 @@ def validate_gpg_keys(self) -> bool:
                 )
             except subprocess.CalledProcessError as e:
                 sdlog.debug(e.output)
-                raise FingerprintException(
-                    f"fingerprint {fingerprint} "
-                    + "does not match "
-                    + f"the public key {public_key}"
-                )
+                message = f"{fingerprint}: Fingerprint validation failed"
+
+                # The validation script returns different error codes depending on what
+                # the cause of the validation failure was. See `admin/bin/validate-gpg-key.sh`
+                if e.returncode == 1:
+                    message = (
+                        f"fingerprint {fingerprint} does not match "
+                        + f"the public key {public_key}"
+                    )
+                elif e.returncode == 2:
+                    message = (
+                        f"fingerprint {fingerprint} "
+                        + "failed sq-keyring-linter check. You may be using an older key that "
+                        + "needs to be updated. Please contact your SecureDrop administrator, or "
+                        + "https://support.freedom.press for assistance."
+                    )
+                raise FingerprintException(message)
         return True
 
     def validate_journalist_alert_email(self) -> bool:

diff --git a/admin/tests/test_securedrop-admin.py b/admin/tests/test_securedrop-admin.py
@@ -716,6 +716,21 @@ def test_validate_gpg_key(self, tmpdir, caplog):
                 site_config.validate_gpg_keys()
             assert "FAIL does not match" in str(e)
 
+        # Test a key with matching fingerprint but that fails sq-keyring-linter
+        invalid_config = {
+            # Correct key fingerprint but weak 1024-bit RSA key with SHA-1 self signature
+            "securedrop_app_gpg_public_key": "weak_test_key_should_fail_sqlinter.asc",
+            "securedrop_app_gpg_fingerprint": "40F1C17B7E7826DAB40B14AE7786B000E6D0A76E",
+            "ossec_alert_gpg_public_key": "test_journalist_key.pub",
+            "ossec_gpg_fpr": "65A1B5FF195B56353CC63DFFCC40EF1228271441",
+            "journalist_alert_gpg_public_key": "test_journalist_key.pub",
+            "journalist_gpg_fpr": "65A1B5FF195B56353CC63DFFCC40EF1228271441",
+        }
+        site_config.config = invalid_config
+        with pytest.raises(securedrop_admin.FingerprintException) as e:
+            site_config.validate_gpg_keys()
+        assert "failed sq-keyring-linter check" in str(e)
+
     def test_journalist_alert_email(self, tmpdir):
         args = argparse.Namespace(
             site_config="INVALID",