New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to extract from signature when long keys are used in ~/.gnupg/gpg.conf #1952

Closed
dysinger opened this Issue Mar 25, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@dysinger
Contributor

dysinger commented Mar 25, 2016

If you are using the keyid-form 0xlong the text output format changes for gpg signing.

user@computer:~/src/github.com/commercialhaskell/stack% grep -i keyid-format ~/.gnupg/gpg.conf
# keyid-format 0xlong
user@computer:~/src/github.com/commercialhaskell/stack% gpg2 --output - --detach-sig --armor /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz | gpg --verify - /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz
gpg: Signature made Fri 25 Mar 2016 01:33:35 PM PDT using RSA key ID C156F68B
gpg: Good signature from "Tim Dysinger <tim@dysinger.net>" [ultimate]
gpg:                 aka "[jpeg image of size 4356]" [ultimate]
gpg:                 aka "Tim Dysinger <dysinger@gmail.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@positiveinertia.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@knewton.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@fpcomplete.com>" [ultimate]
Primary key fingerprint: DDB9 DB7D 11B7 5D1E 8DA9  959E 11A9 6A3C 6622 290C
     Subkey fingerprint: 30C2 1B41 62E8 AB7A 4F0C  F6DF 155E 7413 C156 F68B
user@computer:~/src/github.com/commercialhaskell/stack% grep -i keyid-format ~/.gnupg/gpg.conf
keyid-format 0xlong
user@computer:~/src/github.com/commercialhaskell/stack% gpg2 --output - --detach-sig --armor /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz | gpg --verify - /home/user/src/github.com/commercialhaskell/stack/.stack-work/dist/x86_64-linux/Cabal-1.22.5.0/stack-1.0.4.2.tar.gz
gpg: Signature made Fri 25 Mar 2016 01:33:49 PM PDT
gpg:                using RSA key 0x155E7413C156F68B
gpg: Good signature from "Tim Dysinger <tim@dysinger.net>" [ultimate]
gpg:                 aka "[jpeg image of size 4356]" [ultimate]
gpg:                 aka "Tim Dysinger <dysinger@gmail.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@positiveinertia.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@knewton.com>" [ultimate]
gpg:                 aka "Tim Dysinger <tim@fpcomplete.com>" [ultimate]
Primary key fingerprint: DDB9 DB7D 11B7 5D1E 8DA9  959E 11A9 6A3C 6622 290C
     Subkey fingerprint: 30C2 1B41 62E8 AB7A 4F0C  F6DF 155E 7413 C156 F68B
user@computer:~/src/github.com/commercialhaskell/stack% 

dysinger added a commit that referenced this issue Mar 25, 2016

Always use full fingerprints from GPG
OpenPGP Key ID is the least reliable way to identify a key. From the
spec:

"Note that it is possible for there to be collisions of Key IDs -- two
different keys with the same Key ID. Note that there is a much smaller,
but still non-zero, probability that two different keys have the same
fingerprint."

resolves #1952
@dysinger

This comment has been minimized.

Contributor

dysinger commented Mar 25, 2016

The GPG key-id long form doesn't work with stack. We should switch to using full fingerprints all the time.

dysinger added a commit that referenced this issue Mar 26, 2016

Always use full fingerprints from GPG
OpenPGP Key ID is the least reliable way to identify a key. From the
spec:

"Note that it is possible for there to be collisions of Key IDs -- two
different keys with the same Key ID. Note that there is a much smaller,
but still non-zero, probability that two different keys have the same
fingerprint."

resolves #1952
@dysinger

This comment has been minimized.

Contributor

dysinger commented Mar 26, 2016

Corrected for < 7.10 and misc cleanup

@dysinger dysinger self-assigned this Mar 26, 2016

@dysinger dysinger added this to the P1: Must milestone Mar 28, 2016

@dysinger

This comment has been minimized.

Contributor

dysinger commented Mar 28, 2016

Added P1 because it's broken right now

dysinger added a commit that referenced this issue Mar 31, 2016

Always use full fingerprints from GPG
OpenPGP Key ID is the least reliable way to identify a key. From the
spec:

"Note that it is possible for there to be collisions of Key IDs -- two
different keys with the same Key ID. Note that there is a much smaller,
but still non-zero, probability that two different keys have the same
fingerprint."

resolves #1952

@borsboom borsboom removed the in progress label Mar 31, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment