From 0a0f46fb1478be5eb2f90882a90390cb35ec43cb Mon Sep 17 00:00:00 2001
From: "C. R. Oldham" <cro@ncbt.org>
Date: Mon, 20 Mar 2017 11:36:01 -0600
Subject: [PATCH 1/2] Turn on sign_pub_messages by default.  Make sure messages
 with no 'sig' are dropped with error when sign_pub_messages is True.

---
 salt/config/__init__.py       | 4 +++-
 salt/transport/mixins/auth.py | 5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/salt/config/__init__.py b/salt/config/__init__.py
index 9bf79b63db32..33672c53ff21 100644
--- a/salt/config/__init__.py
+++ b/salt/config/__init__.py
@@ -883,6 +883,7 @@ def _gather_buffer_space():
     'master_failback': False,
     'master_failback_interval': 0,
     'verify_master_pubkey_sign': False,
+    'sign_pub_messages': True,
     'always_verify_signature': False,
     'master_sign_key_name': 'master_sign',
     'syndic_finger': '',
@@ -1292,7 +1293,7 @@ def _gather_buffer_space():
     'tcp_keepalive_idle': 300,
     'tcp_keepalive_cnt': -1,
     'tcp_keepalive_intvl': -1,
-    'sign_pub_messages': False,
+    'sign_pub_messages': True,
     'keysize': 2048,
     'transport': 'zeromq',
     'gather_job_timeout': 10,
@@ -1355,6 +1356,7 @@ def _gather_buffer_space():
 DEFAULT_PROXY_MINION_OPTS = {
     'conf_file': os.path.join(salt.syspaths.CONFIG_DIR, 'proxy'),
     'log_file': os.path.join(salt.syspaths.LOGS_DIR, 'proxy'),
+    'sign_pub_messages': True
     'add_proxymodule_to_opts': False,
     'proxy_merge_grains_in_module': False,
     'append_minionid_config_dirs': ['cachedir'],
diff --git a/salt/transport/mixins/auth.py b/salt/transport/mixins/auth.py
index f9a5bea21e59..9f65fdfa5a1f 100644
--- a/salt/transport/mixins/auth.py
+++ b/salt/transport/mixins/auth.py
@@ -29,7 +29,10 @@
 # TODO: rename
 class AESPubClientMixin(object):
     def _verify_master_signature(self, payload):
-        if payload.get('sig') and self.opts.get('sign_pub_messages'):
+        if self.opts.get('sign_pub_messages'):
+            if not payload.get('sig', False):
+                raise salt.crypt.AuthenticationError('Message signing is enabled but the payload has no signature.')
+
             # Verify that the signature is valid
             master_pubkey_path = os.path.join(self.opts['pki_dir'], 'minion_master.pub')
             if not salt.crypt.verify_signature(master_pubkey_path, payload['load'], payload.get('sig')):

From e663b761fb65cf345a84ad2ce1d766632c9f6fd1 Mon Sep 17 00:00:00 2001
From: Nicole Thomas <nicole@saltstack.com>
Date: Mon, 20 Mar 2017 14:06:52 -0600
Subject: [PATCH 2/2] Fix small syntax error

---
 salt/config/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/config/__init__.py b/salt/config/__init__.py
index 33672c53ff21..936bcade8f47 100644
--- a/salt/config/__init__.py
+++ b/salt/config/__init__.py
@@ -1356,7 +1356,7 @@ def _gather_buffer_space():
 DEFAULT_PROXY_MINION_OPTS = {
     'conf_file': os.path.join(salt.syspaths.CONFIG_DIR, 'proxy'),
     'log_file': os.path.join(salt.syspaths.LOGS_DIR, 'proxy'),
-    'sign_pub_messages': True
+    'sign_pub_messages': True,
     'add_proxymodule_to_opts': False,
     'proxy_merge_grains_in_module': False,
     'append_minionid_config_dirs': ['cachedir'],