Merge pull request #528 from jku/more-pkcs-error-handling

signer: Handle the "yubikey auth required" case
theupdateframework · Feb 3, 2025 · 8fc209a · 8fc209a
2 parents b90391f + 0df997b
commit 8fc209a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/signer/pyproject.toml b/signer/pyproject.toml
@@ -36,6 +36,7 @@ python_version = "3.9"
 [[tool.mypy.overrides]]
 module = [
   "securesystemslib.*",
+  "PyKCS11.*",
 ]
 ignore_missing_imports = "True"
 

diff --git a/signer/tuf_on_ci_sign/_signer_repository.py b/signer/tuf_on_ci_sign/_signer_repository.py
@@ -15,6 +15,7 @@
 from enum import Enum, unique
 
 import click
+from PyKCS11 import CKR_USER_NOT_LOGGED_IN, PyKCS11Error
 from securesystemslib.exceptions import UnverifiedSignatureError
 from securesystemslib.formats import encode_canonical
 from securesystemslib.hash import digest
@@ -289,7 +290,14 @@ def _sign(self, role: str, md: Metadata, key: Key) -> None:
                 self.user.set_signer(key, signer)
                 break
             except UnsignedMetadataError as e:
-                print(f"Failed to sign {role} with {self.user.name} key.\n    {e}")
+                # Very light error handling for specific PKCS11 errors
+                msg = str(e)
+                if isinstance(e.__context__, PyKCS11Error):
+                    pkcs_err = e.__context__
+                    if pkcs_err.value == CKR_USER_NOT_LOGGED_IN:
+                        msg = "Required authentication (e.g. touch) did not happpen"
+
+                print(f"Failed to sign {role} with {self.user.name} key:\n    {msg}")
                 logger.debug("Sign traceback", exc_info=True)
             except UnverifiedSignatureError as e:
                 print(