index: sanitize fingerprint arg, extract_pubkey() returns with spaces

The key fingerprint should be only hex digits, everything else can be discarded. That makes it easy to use this function various fingerprint formats, including the common, human-readable forms spaces between pairs or quartets.
2025-11-05 23:10:29 +03:00 · 2020-10-22 14:39:18 +02:00 · 2020-10-22 14:39:18 +02:00 · 384922118f
commit 384922118f
parent d9171f11e0
2 changed files with 29 additions and 1 deletions
--- a/fdroidserver/index.py
+++ b/fdroidserver/index.py
@ -725,7 +725,11 @@ def download_repo_index(url_str, etag=None, verify_fingerprint=True, timeout=600
 def get_index_from_jar(jarfile, fingerprint=None):
    """Returns the data, public key, and fingerprint from index-v1.jar

+    :param fingerprint is the SHA-256 fingerprint of signing key. Only
+           hex digits count, all other chars will can be discarded.
+
    :raises: VerificationException() if the repository could not be verified
+
    """

    logging.debug(_('Verifying index signature:'))
@ -733,7 +737,8 @@ def get_index_from_jar(jarfile, fingerprint=None):
    with zipfile.ZipFile(jarfile) as jar:
        public_key, public_key_fingerprint = get_public_key_from_jar(jar)
        if fingerprint is not None:
-            if fingerprint.upper() != public_key_fingerprint:
+            fingerprint = re.sub(r'[^0-9A-F]', r'', fingerprint.upper())
+            if fingerprint != public_key_fingerprint:
                raise VerificationException(_("The repository's fingerprint does not match."))
        data = json.loads(jar.read('index-v1.json').decode())
        return data, public_key, public_key_fingerprint