From 0df997b5eaae62bb3517b774d1aef8360f5b361d Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 24 Jan 2025 11:30:39 +0200 Subject: [PATCH] signer: Handle the "yubikey auth required" case There is now light infrastructure for handling PKCS errors... I'm only handling the one that seems to trip people up since there are so many possible errors: we can't possibly do a good job of handling all of them. --- signer/pyproject.toml | 1 + signer/tuf_on_ci_sign/_signer_repository.py | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/signer/pyproject.toml b/signer/pyproject.toml index 9d5c99d..d4be66b 100644 --- a/signer/pyproject.toml +++ b/signer/pyproject.toml @@ -36,6 +36,7 @@ python_version = "3.9" [[tool.mypy.overrides]] module = [ "securesystemslib.*", + "PyKCS11.*", ] ignore_missing_imports = "True" diff --git a/signer/tuf_on_ci_sign/_signer_repository.py b/signer/tuf_on_ci_sign/_signer_repository.py index b9bcd30..d7d5415 100644 --- a/signer/tuf_on_ci_sign/_signer_repository.py +++ b/signer/tuf_on_ci_sign/_signer_repository.py @@ -15,6 +15,7 @@ from enum import Enum, unique import click +from PyKCS11 import CKR_USER_NOT_LOGGED_IN, PyKCS11Error from securesystemslib.exceptions import UnverifiedSignatureError from securesystemslib.formats import encode_canonical from securesystemslib.hash import digest @@ -289,7 +290,14 @@ def _sign(self, role: str, md: Metadata, key: Key) -> None: self.user.set_signer(key, signer) break except UnsignedMetadataError as e: - print(f"Failed to sign {role} with {self.user.name} key.\n {e}") + # Very light error handling for specific PKCS11 errors + msg = str(e) + if isinstance(e.__context__, PyKCS11Error): + pkcs_err = e.__context__ + if pkcs_err.value == CKR_USER_NOT_LOGGED_IN: + msg = "Required authentication (e.g. touch) did not happpen" + + print(f"Failed to sign {role} with {self.user.name} key:\n {msg}") logger.debug("Sign traceback", exc_info=True) except UnverifiedSignatureError as e: print(