def action_signatures_are_correct(app_configs, **kwargs):
    errors = []
    try:
        Action = apps.get_model("recipes", "Action")
        # pre-fetch signatures, to avoid race condition with deleted signatures
        signed_actions = list(
            Action.objects.exclude(signature=None).select_related("signature"))
    except (ProgrammingError, OperationalError, ImproperlyConfigured) as e:
        msg = f"Could not retrieve actions: f{e}"
        errors.append(Info(msg, id=INFO_COULD_NOT_RETRIEVE_ACTIONS))
        return errors

    try:
        for action in signed_actions:
            data = action.canonical_json()
            signature = action.signature.signature
            pubkey = action.signature.public_key
            x5u = action.signature.x5u
            try:
                if x5u:
                    signing.verify_signature_x5u(data, signature, x5u)
                else:
                    signing.verify_signature_pubkey(data, signature, pubkey)
            except signing.BadSignature as e:
                msg = f"Action '{action}' (id={action.id}) has a bad signature: {e.detail}"
                errors.append(Error(msg, id=ERROR_INVALID_ACTION_SIGNATURE))
    except (ProgrammingError, OperationalError, ImproperlyConfigured) as e:
        errors.append(
            Warning(f"Could not check signatures: {e}",
                    id=WARNING_COULD_NOT_CHECK_SIGNATURES))

    return errors
def recipe_signatures_are_correct(app_configs, **kwargs):
    errors = []
    try:
        Recipe = apps.get_model("recipes", "Recipe")
        # pre-fetch signatures, to avoid race condition with deleted signatures
        signed_recipes = list(
            Recipe.objects.exclude(signature=None).select_related("signature"))
    except (ProgrammingError, OperationalError, ImproperlyConfigured) as e:
        errors.append(
            Info(f"Could not retrieve recipes: {e}",
                 id=INFO_COULD_NOT_RETRIEVE_RECIPES))
        return errors

    try:
        for recipe in signed_recipes:
            data = recipe.canonical_json()
            signature = recipe.signature.signature
            pubkey = recipe.signature.public_key
            x5u = recipe.signature.x5u
            try:
                if x5u:
                    signing.verify_signature_x5u(data, signature, x5u)
                else:
                    signing.verify_signature_pubkey(data, signature, pubkey)
            except signing.BadSignature as e:
                msg = "Recipe '{recipe}' (id={recipe.id}) has a bad signature: {detail}".format(
                    recipe=recipe, detail=e.detail)
                errors.append(Error(msg, id=ERROR_INVALID_RECIPE_SIGNATURE))
    except (ProgrammingError, OperationalError, ImproperlyConfigured) as e:
        errors.append(
            Warning(f"Could not check signatures: {e}",
                    id=WARNING_COULD_NOT_CHECK_SIGNATURES))

    return errors
    def test_raises_nice_error_for_wrong_signature(self):
        # change the signature, but keep it a valid signature
        signature = self.signature.replace("s", "S")

        with pytest.raises(signing.SignatureDoesNotMatch):
            signing.verify_signature_pubkey(self.data, signature, self.pubkey)
    def test_raises_nice_error_for_too_short_signatures_good_base64(self):
        signature = "aa=="

        with pytest.raises(signing.WrongSignatureSize):
            signing.verify_signature_pubkey(self.data, signature, self.pubkey)
    def test_raises_nice_error_for_too_short_signatures_bad_padding(self):
        signature = "a_too_short_signature"

        with pytest.raises(signing.WrongSignatureSize):
            signing.verify_signature_pubkey(self.data, signature, self.pubkey)
 def test_known_good_signature(self):
     assert signing.verify_signature_pubkey(self.data, self.signature, self.pubkey)