Metadata API: Log details of verify error

Jussi Kukkonen · Jussi Kukkonen · commit fc1558bfd4d5 · 2022-02-21T16:35:49.000+02:00
We don't want to error out from the whole verify_delegate() process if e.g. a single key fails to load but we do want to provide details for debugging in the unexpected failure cases. This means "example_client -vv download file1.txt" fails like this: Found trusted root in /home/jku/.local/share/python-tuf-client-example INFO:tuf.api.metadata:Key 4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed to verify sig: Failed to load PEM key bogus-key-content-here INFO:tuf.api.metadata:Key 4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed to verify root Failed to download target x: root was signed by 0/1 keys Fixes #1875 Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -704,6 +704,8 @@ def verify_signature(
             sslib_exceptions.UnsupportedAlgorithmError,
             SerializationError,
         ) as e:
+            # Log unexpected failure, but continue as if there was no signature
+            logger.info("Key %s failed to verify sig: %s", self.keyid, str(e))
             raise exceptions.UnsignedMetadataError(
                 f"Failed to verify {self.keyid} signature"
             ) from e
