in jvm/src/main/kotlin/com/jetbrains/infra/pgpVerifier/PgpSignaturesVerifier.kt [27:88]
fun verifySignature(
file: Path,
detachedSignatureInputStream: InputStream,
untrustedPublicKeyBundleInputStream: InputStream,
trustedMasterKeyInputStream: InputStream,
) {
val signatures = getSignaturesFromFile(detachedSignatureInputStream)
val untrustedPublicKeyRingCollection = PGPPublicKeyRingCollection(
PGPUtil.getDecoderStream(untrustedPublicKeyBundleInputStream),
JcaKeyFingerprintCalculator()
)
val trustedMasterKey = getTrustedMasterKey(trustedMasterKeyInputStream)
var verified = false
val buf = ByteArray(16384)
for (signature in signatures) {
val signatureCheckError = checkSignatureFormat(signature)
if (signatureCheckError != null) {
logger.info("Signature skipped: $signatureCheckError")
continue
}
val key = untrustedPublicKeyRingCollection.getPublicKey(signature.keyID) ?: continue
val keyCheckError = checkPublicKeyFormat(key)
if (keyCheckError != null) {
logger.info("Key skipped: $keyCheckError")
continue
}
if (!isSubKeyForSigning(key, trustedMasterKey, logger)) {
continue
}
if (isRevoked(key, signature)) {
logger.info("Key (ID:${key.keyID.toKeyIdString()}) was revoked before signature timestamp")
continue
}
signature.init(JcaPGPContentVerifierBuilderProvider().setProvider(bouncyCastleProvider), key)
Files.newInputStream(file).use { stream ->
while (true) {
val bytes = stream.read(buf)
if (bytes < 0) break
signature.update(buf, 0, bytes)
}
}
if (!signature.verify()) {
// No bad signatures are tolerated
error("Signature verification failed for $file")
}
// At this point we verified that
// - our content was indeed signed by untrusted key `key`
// `- key` and `signature` are good enough
// - key is signed by our trusted primary key
// - key was not revoked before making `signature`
verified = true
}
if (!verified) {
error("No keys matched signature for $file")
}
}