From 8fd67da973f3b51717536698483fb5d033ae1079 Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Sun, 8 May 2022 11:34:56 +0200
Subject: [PATCH] Add comment about readSignatures skipping compressed data
 packets

---
 .../main/java/org/pgpainless/signature/SignatureUtils.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
index 5d68e8b9..f002d5cd 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@@ -249,8 +249,13 @@ public final class SignatureUtils {
         int i = 0;
         Object nextObject;
         while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
+
+            // Since signatures are indistinguishable from randomness, there is no point in having them compressed,
+            //  except for an attacker who is trying to exploit flaws in the decompression algorithm.
+            //  Therefore, we ignore compressed data packets without attempting decompression.
             if (nextObject instanceof PGPCompressedData) {
                 PGPCompressedData compressedData = (PGPCompressedData) nextObject;
+                // getInputStream() does not do decompression, contrary to getDataStream().
                 Streams.drain(compressedData.getInputStream()); // Skip packet without decompressing
             }