validation: Report lack of signature

If we're trying to cryptographically validate a message, not having a
signature is not a success (exit 0). Use a specific return code for this
condition and report it.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/patatt/__init__.py b/patatt/__init__.py
index 85b4778..2e33bce 100644
--- a/patatt/__init__.py
+++ b/patatt/__init__.py
@@ -36,6 +36,7 @@ DEVKEY_HDR = b'X-Developer-Key'
 
 # Result and severity levels
 RES_VALID = 0
+RES_NOSIG = 4
 RES_NOKEY = 8
 RES_ERROR = 16
 RES_BADSIG = 32
@@ -919,6 +920,7 @@ def validate_message(msgdata: bytes, sources: list, trim_body: bool = False) ->
     pm = PatattMessage(msgdata)
     if not pm.signed:
         logger.debug('message is not signed')
+        attestations.append((RES_NOSIG, None, None, None, None, ['no signatures found']))
         return attestations
 
     # Find all identities for which we have public keys
@@ -1019,6 +1021,10 @@ def cmd_validate(cmdargs, config: dict):
                         logger.info('       | key: %s', keysrc)
                     else:
                         logger.info('       | key: default GnuPG keyring')
+                elif result <= RES_NOSIG:
+                    logger.critical(' NOSIG | %s', fn)
+                    for error in errors:
+                        logger.critical('       | %s', error)
                 elif result <= RES_NOKEY:
                     logger.critical(' NOKEY | %s, %s', identity, fn)
                     for error in errors: