Signing and Validating Signatures

Interface

class SignatureValidatorResult(*values)

The result of a signature validation.

ACCEPT = 'Accept': The signature is valid.

REJECT = 'Reject': The signature is invalid.

class SignatureValidatorData(source: SourceIdentifier, signature_text: str, document_digest: str)

Data for a signature validation.

source: SourceIdentifier: Identifier of the source that contains the signature.

signature_text: str: The raw text from the signature meta-value.

document_digest: str: The digest of the document in the format “<algorithm> <digest hex>”.

class SignatureSigningData(source: SourceIdentifier, signing_person: str, document_digest: str)

Data for signing a document.

source: SourceIdentifier: Identifier of the source for the signature.

signing_person: str: The text that identifies the signing person (e.g. name/email).

document_digest: str: The digest of the document in the format “<algorithm> <digest hex>”.

class SignatureHandler

Interface for validating and creating signatures.

abstractmethod validate(data: SignatureValidatorData) → SignatureValidatorResult

Validate the signature.

If a signature handler is enabled for a parser, this method is called for every document - regardless if it contains a signature or not.

Instead of returning REJECT, the handler can raise a ConfSignatureError exception.

Returns:: The result of the validation.
Throws ConfSignatureError:: Optionally, if the signature is invalid.

sign(data: SignatureSigningData) → str

Create a signature for the document.

This is called from the signing tool to create a signature for a document.

Returns:: The final text of the signature meta-value.

class Signer(handler: SignatureHandler)

A tool for signing configuration documents.

sign_document(src: Path, dst: Path, *, signing_person: str) → None

Sign a configuration document using handler and write the signed version to dst.

The signing process calculates a digest of the document, asks handler to create a signature and finally writes the signed document. The source document is read a second time, and the digest is verified again before the real signature is written, protecting against concurrent modifications.

Parameters:

src – The source file to sign.
dst – The destination file for the signed document.
signing_person – Identifier for the person performing the signing.

Raises:

ConfIoError – If the source or destination cannot be accessed.
ConfLimitExceeded – If the document or the signature text exceeds size limits.
ConfEncodingError – If the document is not valid UTF-8.
ConfSignatureError – If the source file changes during signing.