tool: Ignore multiple signatures from the same TPK by default.

  - This behavior can be changed using a switch.

  - Fixes #18.

5 files changed, 66 insertions, 3 deletions

diff --git a/openpgp/tests/data/messages/a-cypherpunks-manifesto.txt.ed25519.sig.two-keys b/openpgp/tests/data/messages/a-cypherpunks-manifesto.txt.ed25519.sig.two-keys
new file mode 100644
index 00000000..65d375ac
--- /dev/null
+++ b/openpgp/tests/data/messages/a-cypherpunks-manifesto.txt.ed25519.sig.two-keys
@@ -0,0 +1,9 @@
+-----BEGIN PGP MESSAGE-----
+
+wnUEABYKACcFgluD2YcWoQQGHDykSv8OxY3GbpUi4/r+lrVsMgmQIuP6/pa1bDIA
+ADgtAQDFbj31RDpQuNSUDLQT6KKhtow/Pxz4rE0vjcfwfMVmQwD/QNXP3G+bPCDN
+JVZxXYqqklITogvdDyjrd+8jJSaXJAfCdQQAFgoAJwWCW4PZhxahBI6MM/pGJjN5
+dtl5eAacDDSN2CwZCZAGnAw0jdgsGQAADxMA/j2G9ZBnBzd9yxQt+kUWRdboX+LR
+Wf4NrBol7m0AbXnCAP0cr1PWSiODoVYnFoM3RTeRwfO5kChw6MLsfTBirAU+Ag==
+=/Q1i
+-----END PGP MESSAGE-----
diff --git a/tool/src/sqv-usage.rs b/tool/src/sqv-usage.rs
index d7e55716..675f2e7d 100644
--- a/tool/src/sqv-usage.rs
+++ b/tool/src/sqv-usage.rs
@@ -9,9 +9,10 @@
 //!     sqv [FLAGS] [OPTIONS] <SIG-FILE> <FILE> --keyring <FILE>...
 //!
 //! FLAGS:
-//!     -h, --help       Prints help information
-//!         --trace      Trace execution.
-//!     -V, --version    Prints version information
+//!         --accept-multiple-signatures    Accept and count multiple signatures from the same TPK.
+//!     -h, --help                          Prints help information
+//!         --trace                         Trace execution.
+//!     -V, --version                       Prints version information
 //!
 //! OPTIONS:
 //!     -r, --keyring <FILE>...          A keyring.  Can be given multiple times.
diff --git a/tool/src/sqv.rs b/tool/src/sqv.rs
index 362d79d5..5da6f2dc 100644
--- a/tool/src/sqv.rs
+++ b/tool/src/sqv.rs
@@ -46,6 +46,8 @@ fn real_main() -> Result<(), failure::Error> {
         exit(2);
     }
 
+    let accept_multiple_sigs = matches.is_present("accept-multiple-signatures");
+
     let not_before = if let Some(t) = matches.value_of("not-before") {
         Some(time::strptime(t, "%Y-%m-%d")
              .context(format!("Bad value passed to --not-before: {:?}", t))?)
@@ -207,6 +209,7 @@ fn real_main() -> Result<(), failure::Error> {
     }
 
     // Verify the signatures.
+    let mut sigs_seen_from_tpk = HashSet::new();
     let mut good = 0;
     'sig_loop: for (mut sig, issuer, tpko) in sigs.into_iter() {
         if trace {
@@ -263,6 +266,17 @@ fn real_main() -> Result<(), failure::Error> {
                             if trace {
                                 eprintln!("Signature by {} is good.", issuer);
                             }
+
+                            if ! accept_multiple_sigs
+                                && sigs_seen_from_tpk.replace(tpk.fingerprint())
+                                .is_some()
+                            {
+                                eprintln!(
+                                    "Ignoring additional good signature by {}.",
+                                    issuer);
+                                continue;
+                            }
+
                             println!("{}", tpk.primary().fingerprint());
                             good += 1;
                         },
diff --git a/tool/src/sqv_cli.rs b/tool/src/sqv_cli.rs
index e3e6bbd3..27824c1a 100644
--- a/tool/src/sqv_cli.rs
+++ b/tool/src/sqv_cli.rs
@@ -19,6 +19,9 @@ pub fn build() -> App<'static, 'static> {
              .long("signatures")
              .short("n")
              .takes_value(true))
+        .arg(Arg::with_name("accept-multiple-signatures")
+             .help("Accept and count multiple signatures from the same TPK.")
+             .long("accept-multiple-signatures"))
         .arg(Arg::with_name("not-before").value_name("YYYY-MM-DD")
              .help("Consider signatures created before YYYY-MM-DD as invalid.  \
                     Default: no constraint")
diff --git a/tool/tests/sqv-multiple-signatures.rs b/tool/tests/sqv-multiple-signatures.rs
new file mode 100644
index 00000000..b7ebb8f9
--- /dev/null
+++ b/tool/tests/sqv-multiple-signatures.rs
@@ -0,0 +1,36 @@
+extern crate assert_cli;
+
+use assert_cli::Assert;
+
+fn p(filename: &str) -> String {
+    format!("../openpgp/tests/data/{}", filename)
+}
+
+/// Asserts that multiple signatures from the same TPK are properly
+/// ignored.
+#[test]
+fn ignore_multiple_signatures() {
+    // Check that all signatures are ok and accounted for.
+    Assert::cargo_binary("sqv")
+        .with_args(
+            &["-r",
+              &p("keys/emmelie-dorothea-dina-samantha-awina-ed25519.pgp"),
+              "--signatures=2",
+              "--accept-multiple-signatures",
+              &p("messages/a-cypherpunks-manifesto.txt.ed25519.sig.two-keys"),
+              &p("messages/a-cypherpunks-manifesto.txt")])
+         .unwrap();
+
+
+    // Multiple signatures from the same TPK are ignored, and fails to
+    // meet the threshold.
+    Assert::cargo_binary("sqv")
+        .with_args(
+            &["-r",
+              &p("keys/emmelie-dorothea-dina-samantha-awina-ed25519.pgp"),
+              "--signatures=2",
+              &p("messages/a-cypherpunks-manifesto.txt.ed25519.sig.duplicated"),
+              &p("messages/a-cypherpunks-manifesto.txt")])
+        .fails()
+        .unwrap();
+}