Add ability to disable root hash check

src/autograph_utils/__init__.py

@@ -260,7 +260,7 @@ class SignatureVerifier:
     :params ClientSession session: An aiohttp session, used to retrieve x5us.
     :params Cache cache: A cache used to store results for x5u verification.
     :params bytes root_hash: The expected hash for the first
-        certificate in a chain.  This should not be encoded in any
+        certificate in a chain. Disabled if ``None``. This should not be encoded in any
         way. Hashes can be decoded using decode_mozilla_hash.
     :params SubjectNameCheck subject_name_check: Predicate to use to
         validate cert subject names. Defaults to
@@ -344,8 +344,9 @@ async def verify_x5u(self, url):
 
         # Verify chain of trust.
         chain = certs[::-1]
-        root_hash = chain[0].fingerprint(SHA256())
-        if root_hash != self.root_hash:
+
+        # Check root certificate hash if specified
+        if self.root_hash and self.root_hash != (root_hash := chain[0].fingerprint(SHA256())):
             raise CertificateHasWrongRoot(expected=self.root_hash, actual=root_hash)
 
         current_cert = chain[0]

tests/test_autograph_utils.py

@@ -264,6 +264,15 @@ async def test_verify_wrong_root_hash(aiohttp_session, mock_with_x5u, cache, now
     )
 
 
+async def test_root_hash_is_ignored_if_none(aiohttp_session, mock_with_x5u, cache, now_fixed):
+    s = SignatureVerifier(
+        aiohttp_session,
+        cache,
+        root_hash=None,
+    )
+    await s.verify_x5u(FAKE_CERT_URL)  # not raising
+
+
 async def test_verify_broken_chain(aiohttp_session, mock_aioresponses, cache, now_fixed):
     # Drop next-to-last cert in cert list
     broken_chain = CERT_LIST[:1] + CERT_LIST[2:]