Verify detached signature w/binary readableStream fails if file is >128kb

[ocmstone]

• OpenPGP.js version: 5.11.0
• Affected platform Node.js 18.18.2:

Using code from the project readme to verify a detached signature works if the file (a ZIP file) is <128kb, but crashes/terminates the program with exit code 0 and no output at "await verified" if size is larger than 128kb.

let readableStream = undefined;
if ( fs.existsSync(filePath) ) {
  // This seems to cause openpgp.verify() to crash later in openpgp-min.js if the file is > 128kb
  readableStream = fs.createReadStream(filePath, "binary");

  // This works for all files regardless of size
  // readableStream = fs.readFileSync(filePath);
} else {
  console.error("Cannot read file:", filePath);
  process.exit(12);
}

...
// Verify the document
const message = await openpgp.createMessage({ binary: readableStream });
const verificationResult = await openpgp.verify({
  message, // Message object
  signature,
  verificationKeys: publicKey
});
const { verified, keyID } = verificationResult.signatures[0];
try {
  await verified; // throws on invalid signature, OR TERMINATES THE PROGRAM if file size >128kb
  console.log('VERIFIED: Signed by key id ' + keyID.toHex());
  console.log("     uid:", publicKey?.users[0]?.userID?.userID);
  delete verificationResult?.data;
  console.log(JSON.stringify(verificationResult, null, 2));
} catch (e) {
  console.log('Signature could not be verified: ' + e.message);
  process.exit(55);
}

[larabr]

Hi, please see https://github.com/openpgpjs/openpgpjs#streaming-sign-and-verify-uint8array-data .
In particular:

...
for await (const chunk of verificationResult.data) {}
    // Note: you *have* to read `verificationResult.data` in some way or other,
    // even if you don't need it, as that is what triggers the
    // verification of the data.

    try {
        await verificationResult.signatures[0].verified; // throws on invalid signature
  ...

[ocmstone]

Ah - OK. Missed a step, my bad and thank you! However, is there an opportunity here to prevent the crash in the library code?

[larabr]

The lib is just hanging indefinitely for the data to arrive. The crash is probs system related. But since this mishap is not too uncommon, we'll look into the possibility of detecting whether the user hasn't read out the data beforehand, and throw an error in case 👌

[ocmstone]

hmmm... it is still crashing at await verified. I also tried await verificationResult.signatures[0].verified, although that shouldn't make any difference. NOTE: This is for a detached signature, which has already been verified at this point - does that make a difference?

  // Verify the document
  const message = await openpgp.createMessage({ binary: readableStream });
  const verificationResult = await openpgp.verify({
    message, // Message object
    signature,
    verificationKeys: publicKey,
  });

  for await (const chunk of verificationResult.data) {
  }
  // Note: you *have* to read `verificationResult.data` in some way or other,
  // even if you don't need it, as that is what triggers the verification
  // of the data.  It only ever uses one chunk of memory.
  const { verified, keyID } = verificationResult.signatures[0];

  try {
    await verified; // throws on invalid signature
    console.log("VERIFIED: Signed by key id " + keyID.toHex());
    console.log("     uid:", publicKey?.users[0]?.userID?.userID);
    delete verificationResult?.data;
    console.log(JSON.stringify(verificationResult, null, 2));
  } catch (e) {
    console.log("Signature could not be verified: " + e.message);
    process.exit(55);
  }

[larabr]

Can you try and convert the node readable stream to a web stream? https://nodejs.org/api/stream.html#streamreadabletowebstreamreadable-options