Use returned signature in GetVerifiedSignatureTimestamp

Instead of parsing the signature packets manually, use the signature
packet returned by VerifyDetachedSignatureAndHash to get the
signature creation time.

crypto/keyring_message.go

@@ -84,12 +84,13 @@ func (keyRing *KeyRing) SignDetached(message *PlainMessage) (*PGPSignature, erro
 // VerifyDetached verifies a PlainMessage with a detached PGPSignature
 // and returns a SignatureVerificationError if fails.
 func (keyRing *KeyRing) VerifyDetached(message *PlainMessage, signature *PGPSignature, verifyTime int64) error {
-	return verifySignature(
+	_, err := verifySignature(
 		keyRing.entities,
 		message.NewReader(),
 		signature.GetBinary(),
 		verifyTime,
 	)
+	return err
 }
 
 // SignDetachedEncrypted generates and returns a PGPMessage
@@ -126,38 +127,16 @@ func (keyRing *KeyRing) VerifyDetachedEncrypted(message *PlainMessage, encrypted
 // returns the creation time of the signature if it succeeds
 // and returns a SignatureVerificationError if fails.
 func (keyRing *KeyRing) GetVerifiedSignatureTimestamp(message *PlainMessage, signature *PGPSignature, verifyTime int64) (int64, error) {
-	packets := packet.NewReader(bytes.NewReader(signature.Data))
-	var err error
-	var p packet.Packet
-	for {
-		p, err = packets.Next()
-		if errors.Is(err, io.EOF) {
-			break
-		}
-		if err != nil {
-			continue
-		}
-		sigPacket, ok := p.(*packet.Signature)
-		if !ok {
-			continue
-		}
-		var outBuf bytes.Buffer
-		err = sigPacket.Serialize(&outBuf)
-		if err != nil {
-			continue
-		}
-		err = verifySignature(
+	sigPacket, err := verifySignature(
 		keyRing.entities,
 		message.NewReader(),
-			outBuf.Bytes(),
+		signature.GetBinary(),
 		verifyTime,
 	)
 	if err != nil {
-			continue
+		return 0, err
 	}
 	return sigPacket.CreationTime.Unix(), nil
-	}
-	return 0, errors.Wrap(err, "gopenpgp: can't verify any signature packets")
 }
 
 // ------ INTERNAL FUNCTIONS -------

crypto/keyring_streaming.go

@@ -324,12 +324,13 @@ func (keyRing *KeyRing) VerifyDetachedStream(
 	signature *PGPSignature,
 	verifyTime int64,
 ) error {
-	return verifySignature(
+	_, err := verifySignature(
 		keyRing.entities,
 		message,
 		signature.GetBinary(),
 		verifyTime,
 	)
+	return err
 }
 
 // SignDetachedEncryptedStream generates and returns a PGPMessage

crypto/signature.go

@@ -119,7 +119,7 @@ func verifyDetailsSignature(md *openpgp.MessageDetails, verifierKey *KeyRing) er
 }
 
 // verifySignature verifies if a signature is valid with the entity list.
-func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signature []byte, verifyTime int64) error {
+func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signature []byte, verifyTime int64) (*packet.Signature, error) {
 	config := &packet.Config{}
 	if verifyTime == 0 {
 		config.Time = func() time.Time {
@@ -134,9 +134,9 @@ func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signa
 
 	sig, signer, err := openpgp.VerifyDetachedSignatureAndHash(pubKeyEntries, origText, signatureReader, allowedHashes, config)
 
-	if signer != nil && (errors.Is(err, pgpErrors.ErrSignatureExpired) || errors.Is(err, pgpErrors.ErrKeyExpired)) {
+	if sig != nil && signer != nil && (errors.Is(err, pgpErrors.ErrSignatureExpired) || errors.Is(err, pgpErrors.ErrKeyExpired)) {
 		if verifyTime == 0 { // Expiration check disabled
-			return nil
+			return sig, nil
 		}
 
 		// Maybe the creation time offset pushed it over the edge
@@ -147,15 +147,15 @@ func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signa
 
 		_, err = signatureReader.Seek(0, io.SeekStart)
 		if err != nil {
-			return newSignatureFailed()
+			return nil, newSignatureFailed()
 		}
 
 		sig, signer, err = openpgp.VerifyDetachedSignatureAndHash(pubKeyEntries, origText, signatureReader, allowedHashes, config)
 	}
 
 	if err != nil || sig == nil || signer == nil {
-		return newSignatureFailed()
+		return nil, newSignatureFailed()
 	}
 
-	return nil
+	return sig, nil
 }