Missing documentation on signature verification of external signatures

[wagner-intevation]

When setting up csaf_provider with upload_signature = true and then using the csaf_uploader with the option --external_signed as documented, the server denies the upload with

Signature Verification Error: Invalid signature caused by openpgp: signature made by unknown entity

I'm missing documentation on how to add a trusted public key to its key store (and where the keyring is located, if it's www-data's).

[bernhardreiter]

Did you set the following in the provider configuration:

# Set the path to the public OpenPGP key.
#openpgp_public_key = "/etc/csaf/openpgp_public.asc"

[wagner-intevation]

With

# Set the path to the public OpenPGP key.
#openpgp_public_key = "/etc/csaf/openpgp_public.asc"

# Set the path to the private OpenPGP key.
#openpgp_private_key = "/etc/csaf/openpgp_private.asc"

The output is

HTTPS upload failed: 400 Bad Request
Errors:
        Signature Verification Error: Invalid signature caused by openpgp: signature made by unknown entity

With

# Set the path to the public OpenPGP key.
openpgp_public_key = "/etc/csaf/openpgp_public.asc"

# Set the path to the private OpenPGP key.
openpgp_private_key = "/etc/csaf/openpgp_private.asc"

whereas the key is different to the signature file, the output is the same as above.

If the OpenPGP key in the server config corresponds to the signature, then the upload works.

I was assuming that the OpenPGP options should not be required, as the upload of the signature file would make no sense then.

However, I found out now that one can leave out the openpgp_private_key parameter while still using the openpgp_public_key as the required public key (not multiple keys).

So, what's IMO missing from the docs:

• In csaf_provider: The dual meaning of openpgp_public_key
• In csaf_uploader: That the signature must match the provided public key.