From da446f9e168c6144bc1ea2838cfab485401f4914 Mon Sep 17 00:00:00 2001
From: Nico Hinderling <NicoHinderling@users.noreply.github.com>
Date: Wed, 14 Jan 2026 11:46:57 -0800
Subject: [PATCH] Add extra check for cms signature before parsing

---
 src/launchpad/parsers/apple/code_signature_parser.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/launchpad/parsers/apple/code_signature_parser.py b/src/launchpad/parsers/apple/code_signature_parser.py
index ecaafc81..7daa8925 100644
--- a/src/launchpad/parsers/apple/code_signature_parser.py
+++ b/src/launchpad/parsers/apple/code_signature_parser.py
@@ -581,11 +581,20 @@ def _parse_signature(self, super_blob: CSSuperBlob, cs: CodeSignature) -> CMSSig
 
             logger.debug(f"Signature magic: 0x{magic:08x}, length: {signature_length}")
 
+            # Check if there's actual signature data (not just the header)
+            if signature_length <= 8:
+                logger.debug("Signature slot present but empty (length <= 8)")
+                return None
+
             # Extract the signature content (skip the 8-byte header)
             sig_start = sig_offset + 8
             sig_end = sig_offset + signature_length
             signature_content = bytes(content[sig_start:sig_end])
 
+            if len(signature_content) == 0:
+                logger.debug("No signature content to parse")
+                return None
+
             # Parse the CMS signature
             try:
                 signature = cms.ContentInfo.load(signature_content)  # type: ignore[attr-defined]